新型恶意软件Quasar RAT采用DLL侧载技术

The open-source remote access trojan known as Quasar RAT has been observed leveraging DLL side-loading to fly under the radar and stealthily siphon data from compromised Windows hosts.

已观察到开源远程访问特洛伊木马，被称为Quasar RAT，利用DLL侧载技术悄悄窃取受损的Windows主机上的数据。

"This technique capitalizes on the inherent trust these files command within the Windows environment," Uptycs researchers Tejaswini Sandapolla and Karthickkumar Kathiresan said in a report published last week, detailing the malware's reliance on ctfmon.exe and calc.exe as part of the attack chain.

“这种技术利用了这些文件在Windows环境中所具有的内在信任，” Uptycs研究员Tejaswini Sandapolla和Karthickkumar Kathiresan在上周发表的报告中说，详细说明了恶意软件依赖ctfmon.exe和calc.exe作为攻击链的一部分。

Also known by the names CinaRAT or Yggdrasil, Quasar RAT is a C#-based remote administration tool capable of gathering system information, a list of running applications, files, keystrokes, screenshots, and executing arbitrary shell commands.

Quasar RAT，也被称为CinaRAT或Yggdrasil，是一款基于C#的远程管理工具，能够收集系统信息、运行应用程序列表、文件、按键记录、截图并执行任意shell命令。

DLL side-loading is a popular technique adopted by many threat actors to execute their own payloads by planting a spoofed DLL file with a name that a benign executable is known to be looking for.

DLL侧载是一种流行的技术，被许多威胁行为者采用，通过植入一个伪装的DLL文件，该文件具有良性可执行文件正在寻找的名称，以执行自己的负载。

"Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process," MITRE notes in its explanation of the attack method.

“对手可能使用侧载作为掩盖其在合法、受信任且可能被提升的系统或软件进程下执行的操作的手段，” MITRE在其对这种攻击方法的解释中指出。

The starting point of the attack documented by Uptycs is an ISO image file that contains three files: A legitimate binary named ctfmon.exe that's renamed as eBill-997358806.exe, a MsCtfMonitor.dll file that's renamed as monitor.ini, and a malicious MsCtfMonitor.dll.

Uptycs记录的攻击的起点是一个包含三个文件的ISO映像文件：一个名为ctfmon.exe的合法二进制文件，重命名为eBill-997358806.exe，一个名为monitor.ini的MsCtfMonitor.dll文件，以及一个恶意的MsCtfMonitor.dll。

"When the binary file 'eBill-997358806.exe' is run, it initiates the loading of a file titled 'MsCtfMonitor.dll' (name masqueraded) via DLL side-loading technique, within which malicious code is concealed," the researchers said.

二进制文件'eBill-997358806.exe'运行时，通过DLL侧载技术，它启动了名为'MsCtfMonitor.dll'（伪装的名称）的文件的加载，其中包含隐藏的恶意代码，研究人员表示。

The hidden code is another executable "FileDownloader.exe" that's injected into Regasm.exe, the Windows Assembly Registration Tool, in order to launch the next stage, an authentic calc.exe file that loads the rogue Secure32.dll again through DLL side-loading and launch the final Quasar RAT payload.

隐藏的代码是另一个可执行文件“FileDownloader.exe”，它被注入到Windows程序集注册工具Regasm.exe中，以启动下一阶段，即通过DLL侧载再次加载恶意的Secure32.dll并启动最终的Quasar RAT负载。

The trojan, for its part, establishes connections with a remote server to send system information and even sets up a reverse proxy for remote access to the endpoint.

至于特洛伊木马，它与远程服务器建立连接，发送系统信息，甚至为远程访问终端设置反向代理。

The identity of the threat actor and the exact initial access vector used to pull off the attack is unclear, but it's likely to be disseminated by means of phishing emails, making it imperative that users be on the guard for dubious emails, links, or attachments.

威胁行为者的身份和用于执行攻击的确切初始访问矢量尚不清楚，但很可能通过钓鱼电子邮件的方式传播，因此用户必须警惕可疑的电子邮件、链接或附件。

原文始发于微信公众号（知机安全）：新型恶意软件Quasar RAT采用DLL侧载技术