Advanced Phishing Campaign Delivers Quasar RAT (Aug 26, 2019)
A new phishing campaign has been identified by researchers at Cofense Intelligence that delivers the “Quasar” Remote Access Tool (RAT) while employing multiple measures to deter detection. The phishing email, written to appear as though sent from a job seeker, includes an attached “resume” document file that delivers the malware. The document is password protected to bypass automated phishing software, loaded with more than 1200 lines of garbage code strings to overload and crash analysis systems, and the payload URL is hidden as metadata for embedded images. Finally, to avoid discovery, a Microsoft Self Extracting executable is downloaded that unpacks the RAT that is 401MB, an artificially-large file size that can crash an automated-detection system. These sophisticated techniques are used to delay detection and can provide the threat actor with enough time to gather information and additional malware before being detected or removed.
Recommendation: Avoid documents that request Macros to be enabled. All employees should be educated on the risk of opening attachments from unknown senders. Anti-spam and antivirus protection should be implemented and kept up-to-date with the latest version to better ensure security.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.