New technique further conceals Quasar RAT activity

New DLL side-loading has been leveraged by the Quasar RAT backdoor, also known as CinaRAT or Yggdrasil, to further obscure malicious data exfiltration activities against Windows devices, The Hacker News reports. Attacks commence with the deployment of an ISO image that features the legitimate "ctfmon.exe" binary renamed as "eBill-997358806.exe," which when executed side loads the malicious "MsCtfMonitor.dll" file that has obfuscated malicious code, according to a report from Uptycs. Injection of the concealed code, which is another executable, into the Windows Assembly Registration Tool is then followed by the execution of the "Calc.exe" process to side-load a malicious "Secure32.dll" to trigger Quasar RAT payload deployment, said researchers. Quasar RAT has been reported to facilitate not only system data collection but also arbitrary shell command execution. No specific threat operation has been identified to be behind the campaign and uncertainties remain regarding the initial access vector used in the attack but users have been urged to be more vigilant of phishing emails.