Quasar Remote Access Trojan is a .NET framework open-source remote access trojan family used in cyber-criminal and cyber-espionage campaigns to target Windows operating system devices. It is often delivered via malicious attachments in phishing and spear-phishing emails.

Its capabilities include capturing screenshots, recording webcam, reversing proxy, editing registry, spying on the user’s actions, keylogging and stealing passwords.

Quasar is a publicly available open-source Remote Access Trojan which primarily targets Windows OS systems. This RAT is written in the C# programing language.

The Remote Access Trojan uses two methods to achieve persistence – Scheduled tasks and Registry Keys.

Quasar is authored by GitHub user MaxXor and publicly hosted as a GitHub repository. While the tool can be used for legitimate purposes i.e. an organization’s helpdesk technician remotely accessing an employee’s laptop. The cybersecurity and infrastructure security agency are aware of APT actors using Quasar for cybercrime and cyber espionage campaigns.

Quasar uses a client-server architecture that enables one user to remotely access many clients. The server is responsible for creating client binaries and managing client connections. Users then interact with connected clients through the server’s graphical user interface.

The Quasar server component is responsible for

  • Listening for and handling client connections (i.e. catching new connections, terminating connections)
  • Managing connected clients (i.e. retrieving files, showing the screen, killing processes)
  • Configuring and building client executables.

In January 2018, attackers targeted the Ukranian Ministry of Defense with the Quasar RAT and a custom malware dubbed VERMIN. The malware strains were distributed via decoy documents. The attack was aimed at stealing system information, usernames, keystrokes and clipboard data.

In May 2019, researchers observed the Chinese cyber-espionage group APT10 using two loader variants and various payloads to launch attacks against government and private organizations in Southeast Asia.

The two variants are PlugX and Quasar RAT.

These loader variants drop malicious files such as Jjs.exe.jli.dll.Msvcrt100.dll and svchost.bin to distribute additional payloads.

How to remove Quasar RAT

  1. Launch Task Manager by tapping keys Ctrl+Shift+Esc.
  2. Click the Processes tab and find the malicious {random name}.exe process.
  3. Right-click it and select Open File Location to open the folder containing the malicious launcher.
  4. Go back to the Task Manager, select the process, and click End Process.
  5. Go to the folder containing the malicious {random name}.exe file.
  6. Right-click the file and then select Delete.
  7. Launch RUN by tapping Win+R keys on the keyboard.
  8. Type regedit.exe into the dialog field and click OK to access the Registry Editor.
  9. Navigate to HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RUN.
  10. Right-click and Delete the malicious {random name} value linked to the ransomware.

Empty Recycle Bin and do not forget to perform a full system scan next.