QuasarRAT Deploys Advanced DLL Side-Loading Technique

A recent research report by Uptycs has highlighted the evolution of QuasarRAT, an open-source remote administration tool known for its lightweight nature and range of malicious functions. According to an advisory published on Friday by Uptycs security researcher Tejaswini Sandapolla, the C#-based tool, also referred to as CinaRAT or Yggdrasil, has been discovered employing a sophisticated technique called DLL side-loading, which exploits trusted Microsoft files to execute malicious activities. This technique capitalizes on the inherent trust these files command within the Windows environment, making it a significant threat in the cybersecurity landscape. QuasarRAT has reportedly been openly accessible on GitHub, posing a risk to Windows users, system administrators and cybersecurity professionals. "Such tactics are not new, but seeing them evolve and get adopted by other malware strains shows the adaptability of threat actors," Sandapolla wrote. The attackers utilize specific trusted Microsoft files to perform this attack. In the initial phase, QuasarRAT employs the authentic "Ctfmon.exe" to load a malicious DLL, discreetly disguising its intentions. This action sets the stage for the attacker to obtain a 'stage 1' payload, acting as a gateway for subsequent malicious activities. The stage 1 payload then plays a dual role by releasing both the legitimate "Calc.exe" file and the malevolent DLL into the system. The attacker leverages "Calc.exe," which is not just a simple calculator application in this context. When executed, it triggers the malicious DLL, leading to the infiltration of the "QuasarRAT" payload into the computer's memory. Finally, within the computer's memory, the payload employs "Process hollowing" to embed itself into a legitimate system process, further concealing its malicious intentions and complicating detection. To protect against QuasarRAT and its new capabilities, Uptycs highlighted the importance of maintaining up-to-date software and vigilant email practices, as well as implementing advanced security solutions and training individuals to recognize suspicious activities. Collaboration with cybersecurity experts and information sharing within the industry are also emphasized to stay informed about evolving threats.

This Cyber News was published on www.infosecurity-magazine.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000

Cyber News related to QuasarRAT Deploys Advanced DLL Side-Loading Technique

QuasarRAT Deploys Advanced DLL Side-Loading Technique - A recent research report by Uptycs has highlighted the evolution of QuasarRAT, an open-source remote administration tool known for its lightweight nature and range of malicious functions. According to an advisory published on Friday by Uptycs ...
1 year ago Infosecurity-magazine.com

Side-by-Side with HelloJackHunter: Unveiling the Mysteries of WinSxS - As we know, Dynamic-link library(DLL) Side loading / DLL Hijacking is nothing new, nor is Windows Side-by-Side; however, side loading is handy from an adversarial tradecraft perspective, be it for establishing initial access, persistence, privilege ...
11 months ago Blog.zsec.uk Equation

Threat Actors Exploiting DLL Side-Loading Vulnerability in Google Chrome to Execute Malicious Payloads - Cybersecurity researchers have identified a concerning new attack vector where threat actors are actively exploiting a vulnerability in Google Chrome version 133.0.6943.126 through DLL side-loading techniques. This sophisticated attack allows ...
1 month ago Cybersecuritynews.com

CVE-2005-2127 - Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for ...
6 years ago

Hackers Employ DLL Side-Loading To Deliver Malicious Python Code - DLL side-loading exploits the Windows DLL search order mechanism, where attackers place malicious DLL files in locations where legitimate applications will load them instead of the intended legitimate libraries. The technique enables attackers to ...
1 month ago Cybersecuritynews.com

Attackers Can Bypass Windows Security Using New DLL Hijacking - Threat actors using the DLL Hijacking technique for persistence have been the order of the day and have been utilized in several attacks. This attack method allows bypassing the privilege requirement for executing certain malicious codes on the ...
1 year ago Cybersecuritynews.com

New DLL Search Order Hijacking Variant Evades Windows 10 and 11 Protections - Security researchers have outlined a fresh variant of a dynamic link library search order hijacking technique, potentially enabling threat actors to circumvent security measures and execute malicious code on computers running Microsoft Windows 10 and ...
1 year ago Cysecurity.news

New DLL Search Order Hijacking Technique Targets WinSxS Folder - A new DLL search order hijacking technique allows adversaries to load and execute malicious code in applications within Windows' WinSxS folder, incident response company Security Joes reports. Typically, DLL search order hijacking abuses applications ...
1 year ago Securityweek.com

9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com

CVE-2005-1990 - Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, ...
3 years ago

20 Best Endpoint Management Tools - 2025 - What is Good?What Could Be Better?Comprehensive endpoint security against many threats.The user interface may overwhelm some users.Machine learning for real-time threat detection.Integration with existing systems may be complex.A central management ...
1 month ago Cybersecuritynews.com

Purple teaming and the role of threat categorization - Red team assessment, penetration testing, and even purple team assessments are all designed to answer these questions. As attacks get more complex, these assessments struggle to provide comprehensive answers. These assessment services typically test ...
1 year ago Helpnetsecurity.com

New Stealthy Malware 'Waiting Thread Hijacking' Technique Bypasses Modern Defenses - Unlike traditional thread hijacking, which requires suspending and resuming threads using easily monitored APIs like SuspendThread and ResumeThread, WTH targets threads already in a waiting state, eliminating the need for suspicious thread ...
3 weeks ago Cybersecuritynews.com

CVE-2018-6765 - Swisscom MySwisscomAssistant 2.17.1.1065 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded. It allows an ...
5 years ago

Imperva Client-Side Protection Mitigates the Polyfill Supply Chain Attack - The recent discovery of a website supply chain attack using the cdn. Polyfill.io domain has left many websites vulnerable to malicious code injection. Once a trusted resource for adding JavaScript polyfills to websites, the domain has recently become ...
10 months ago Imperva.com

State Sponsored Hackers Now Widely Using ClickFix Attack Technique in Espionage Campaigns - While currently limited to experimental usage by these state-sponsored groups, the increasing popularity of ClickFix in both cybercrime and espionage campaigns suggests the technique will likely become more widely adopted as threat actors continue to ...
2 weeks ago Cybersecuritynews.com Kimsuky MuddyWater

Mustang Panda Employs Using Weaponized RAR Archives to Install New ToneShell Malware - The threat actor has been observed utilizing weaponized RAR archives containing malicious DLLs alongside legitimate signed executables to deploy updated variants of ToneShell malware through DLL sideloading techniques. Security researchers have ...
3 weeks ago Cybersecuritynews.com Mustang Panda

CVE-2018-6766 - Swisscom TVMediaHelper 1.1.0.50 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system. This vulnerability exists due to the way .dll files are loaded. It allows an attacker to ...
5 years ago

Hackers Employ New ClickFix Captcha Technique to Deliver Ransomware - The integration of Qakbot with the ClickFix technique allows attackers to bypass traditional security measures by leveraging user interaction to execute malicious commands. A sophisticated social engineering technique known as ClickFix has emerged, ...
1 month ago Cybersecuritynews.com

20 Best Remote Monitoring Tools - 2025 - What is Good ?What Could Be Better ?Strong abilities to keep an eye on devices and systems.Some parts may take time to figure out.It gives you tools for remote control and troubleshooting.There could be more ways to change things.Lets you automate ...
1 month ago Cybersecuritynews.com

Malvertisers zoom in on cryptocurrencies and initial access - While Zoom is used by millions of people around the world, these campaigns are likely targeting victims who are into cryptocurrencies as well as corporate users, in order to gain access to company networks. The threat actors are using a number of ...
1 year ago Malwarebytes.com Cloak

Why Red Teams Can't Answer Defenders' Most Important Questions - Red teaming is useful for plenty of other things, but it's the wrong protocol for answering this specific question about defense efficacy. By their nature, they only test a few specific variants of a few possible attack techniques that an adversary ...
1 year ago Darkreading.com

Sapphire Werewolf Enhances Toolkit With New Amethyst Stealer to Attack Energy Companies - The malware employs a sophisticated multi-stage infection process, first loading a Base64-encoded PE file into memory through Assembly.Load() and Invoke() methods, avoiding writing the malicious payload to disk where it might be detected by security ...
3 weeks ago Cybersecuritynews.com

Hackers Abuse COM Objects for Fileless Malware Lateral Movements - This technique, detailed in research from March 2025, leverages legitimate Windows functionality to establish persistence and evade traditional security controls, marking a significant evolution in attack methodologies. The technique allows trapped ...
1 month ago Cybersecuritynews.com

CatB Ransomware Leveraging Microsoft Distributed Transaction Coordinator to Execute its Payload - The sophisticated nature of CatB’s DLL hijacking mechanism, combined with its reconnaissance capabilities and defense evasion techniques, makes it a formidable threat requiring enhanced detection methodologies and proactive security validation. ...
4 weeks ago Cybersecuritynews.com

QuasarRAT Deploys Advanced DLL Side-Loading Technique

Cyber News related to QuasarRAT Deploys Advanced DLL Side-Loading Technique

Latest Cyber News

Cyber Trends (last 7 days)

Trending Cyber News (last 7 days)