Image

The Down-Low of Downeks and Quasar RAT
Researchers at Palo Alto Networks haven't identified the initial infection vector for this campaign. They do know, however, that the attack chain begins when a victim somehow receives an initial dropper (probably via email or the web). That dropper assumes the disguise "Joint Ministerial Council between the GCC and the EU Council.exe." GCC stands for many things. For the purposes of this campaign, it likely represents the Gulf Cooperation Council, an intergovernmental body of Arab states in the Persian Gulf. Correspondence of any sort between the GCC and the EU Council would be pertinent to the work of government officials in the Middle East. Attackers know this, which is why they've camouflaged their dropper with such a relevant disguise. Upon execution, the dropper extracts an embedded instance of the Downeks downloader with the file name "ati.exe." The downloader, which is technically a simple backdoor, oftentimes masquerades as icons, filenames, and metadata imitating legitimate applications such as VMWare. It communicates with its command and control (C&C) server via HTTP POST requests. By that channel, Downeks executes several actions, such as taking a screen shot, enumerating anti-virus solutions installed on the infected machine, achieving host persistence, terminating running processes, and sending information about the computer back to the attackers. The downloader also fetches a machine's external IP address to identify the victim location with GeoIP. All the while, it drops decoy documents for cover.Image

Image

"With further analysis of the Quasar RAT C2 Server, we uncovered vulnerabilities in the server code, which would allow remote code execution. This might allow a second attacker to install code of their choice – for example, their own Quasar RAT – on the original attacker’s server. We refer to this (somewhat ironic) technique as a 'Double Edged Sword Attack'. We did not apply this to any live C2 servers – we only tested this with our own servers in our lab."Specifically, because the Quasar server does not verify the RAT data, an actor could supply convincing "victim data" in the way of a file of their choice. Palo Alto Networks' research team sent two files, including "dnsapi.dll," with the knowledge that Quasar is vulnerable to DLL hijacking. Once uploaded, their DLL file forces Quasar to connect to their own attack server, thereby allowing them to control the RAT's server with their own version of the malware.