QuasarRAT Deploys Advanced DLL Side-Loading Technique

A recent research report by Uptycs has highlighted the evolution of QuasarRAT, an open-source remote administration tool known for its lightweight nature and range of malicious functions. According to an advisory published on Friday by Uptycs security researcher Tejaswini Sandapolla, the C#-based tool, also referred to as CinaRAT or Yggdrasil, has been discovered employing a sophisticated technique called DLL side-loading, which exploits trusted Microsoft files to execute malicious activities. This technique capitalizes on the inherent trust these files command within the Windows environment, making it a significant threat in the cybersecurity landscape. QuasarRAT has reportedly been openly accessible on GitHub, posing a risk to Windows users, system administrators and cybersecurity professionals. "Such tactics are not new, but seeing them evolve and get adopted by other malware strains shows the adaptability of threat actors," Sandapolla wrote. The attackers utilize specific trusted Microsoft files to perform this attack. In the initial phase, QuasarRAT employs the authentic "Ctfmon.exe" to load a malicious DLL, discreetly disguising its intentions. This action sets the stage for the attacker to obtain a 'stage 1' payload, acting as a gateway for subsequent malicious activities. The stage 1 payload then plays a dual role by releasing both the legitimate "Calc.exe" file and the malevolent DLL into the system. The attacker leverages "Calc.exe," which is not just a simple calculator application in this context. When executed, it triggers the malicious DLL, leading to the infiltration of the "QuasarRAT" payload into the computer's memory. Finally, within the computer's memory, the payload employs "Process hollowing" to embed itself into a legitimate system process, further concealing its malicious intentions and complicating detection. To protect against QuasarRAT and its new capabilities, Uptycs highlighted the importance of maintaining up-to-date software and vigilant email practices, as well as implementing advanced security solutions and training individuals to recognize suspicious activities. Collaboration with cybersecurity experts and information sharing within the industry are also emphasized to stay informed about evolving threats.

This Cyber News was published on www.infosecurity-magazine.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000


Cyber News related to QuasarRAT Deploys Advanced DLL Side-Loading Technique

QuasarRAT Deploys Advanced DLL Side-Loading Technique - A recent research report by Uptycs has highlighted the evolution of QuasarRAT, an open-source remote administration tool known for its lightweight nature and range of malicious functions. According to an advisory published on Friday by Uptycs ...
10 months ago Infosecurity-magazine.com
Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS - As we know, Dynamic-link library(DLL) Side loading / DLL Hijacking is nothing new, nor is Windows Side-by-Side; however, side loading is handy from an adversarial tradecraft perspective, be it for establishing initial access, persistence, privilege ...
4 months ago Blog.zsec.uk
CVE-2005-2127 - Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for ...
5 years ago
Attackers Can Bypass Windows Security Using New DLL Hijacking - Threat actors using the DLL Hijacking technique for persistence have been the order of the day and have been utilized in several attacks. This attack method allows bypassing the privilege requirement for executing certain malicious codes on the ...
9 months ago Cybersecuritynews.com
New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections - Security researchers have outlined a fresh variant of a dynamic link library search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and ...
9 months ago Cysecurity.news
New DLL Search Order Hijacking Technique Targets WinSxS Folder - A new DLL search order hijacking technique allows adversaries to load and execute malicious code in applications within Windows' WinSxS folder, incident response company Security Joes reports. Typically, DLL search order hijacking abuses applications ...
9 months ago Securityweek.com
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
10 months ago Esecurityplanet.com
Purple teaming and the role of threat categorization - Red team assessment, penetration testing, and even purple team assessments are all designed to answer these questions. As attacks get more complex, these assessments struggle to provide comprehensive answers. These assessment services typically test ...
9 months ago Helpnetsecurity.com
CVE-2005-1990 - Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, ...
3 years ago
Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack - The recent discovery of a website supply chain attack using the cdn. Polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become ...
3 months ago Imperva.com
CVE-2018-6765 - Swisscom MySwisscomAssistant 2.17.1.1065 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded. It allows an ...
5 years ago
Why Red Teams Can't Answer Defenders' Most Important Questions - Red teaming is useful for plenty of other things, but it's the wrong protocol for answering this specific question about defense efficacy. By their nature, they only test a few specific variants of a few possible attack techniques that an adversary ...
9 months ago Darkreading.com
CVE-2018-6766 - Swisscom TVMediaHelper 1.1.0.50 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded. It allows an attacker to ...
5 years ago
Malvertisers zoom in on cryptocurrencies and initial access - While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks. The threat actors are using a number of ...
9 months ago Malwarebytes.com
GitHub Codespaces Attack Technique - Exploring Advanced Techniques to Protect from Hacking - Organizations using GitHub Codespaces to streamline the development process need to be aware of the potential for malicious actors to launch hacking attacks. Even the most secure systems and networks can be infiltrated if appropriate measures ...
1 year ago Securityaffairs.com
Breaking Down the Blank Image Attack, a Strategy that Allows Malware to Evade Anti-Malware Software - Recent advances in internet security have allowed anti-malware software to block malware attacks more effectively. However, some malware developers employ techniques such as the “blank image attack” to bypass traditional anti-malware detection ...
1 year ago Hackread.com
CVE-2016-4349 - Untrusted search path vulnerability in Cisco WebEx Productivity Tools 2.40.5001.10012 allows local users to gain privileges via a Trojan horse cryptsp.dll, dwmapi.dll, msimg32.dll, ntmarta.dll, propsys.dll, riched20.dll, rpcrtremote.dll, secur32.dll, ...
8 years ago
CVE-2010-3129 - Untrusted search path vulnerability in uTorrent 2.0.3 and earlier allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse plugin_dll.dll, userenv.dll, shfolder.dll, dnsapi.dll, ...
7 years ago
CVE-2014-8398 - Multiple untrusted search path vulnerabilities in Corel FastFlick allow local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse (1) igfxcmrt32.dll, (2) ipl.dll, (3) MSPStyleLib.dll, (4) uFioUtil.dll, (5) ...
6 years ago
CVE-2023-6061 - Multiple components of Iconics SCADA Suite are prone to a Phantom DLL loading vulnerability. This issue arises from the applications improperly searching for and loading dynamic link libraries, potentially allowing an attacker to execute malicious ...
10 months ago Tenable.com
CVE-2007-5909 - Multiple stack-based buffer overflows in Autonomy (formerly Verity) KeyView Viewer, Filter, and Export SDK before 9.2.0.12, as used by ActivePDF DocConverter, IBM Lotus Notes before 7.0.3, Symantec Mail Security, and other products, allow remote ...
5 years ago
CVE-2020-2035 - When SSL/TLS Forward Proxy Decryption mode has been configured to decrypt the web transactions, the PAN-OS URL filtering feature inspects the HTTP Host and URL path headers for policy enforcement on the decrypted HTTPS web transactions but does not ...
2 years ago
Several Infostealers Using Persistent Cookies to Hijack Google Accounts - Multiple information stealers have been adopting a new technique that allows them to restore Google cookies and compromise accounts even if the victims change their passwords, threat intelligence firm CloudSEK reports. A vulnerability in Google's ...
9 months ago Securityweek.com
GrimResource Technique Exploits Years-Old Unpatched Windows XSS Flaw - New GrimResource technique exploits a 2018-old, unpatched, Windows XSS flaw and crafted MSC files to deploy malware via the Microsoft Management Console. Researchers detected the new exploitation technique in the wild on June 6th, 2024. Exploiting ...
3 months ago Heimdalsecurity.com
The sound of you typing on your keyboard could reveal your password - As if password authentication's coffin needed any more nails, researchers in the UK have discovered yet another way to hammer one in. The technique, developed at Durham University, the University of Surrey, and Royal Holloway University of London, ...
9 months ago Malwarebytes.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)