Preface: Quasar, a legitimate open-source remote administration tool. It is a fast and light-weight remote administration tool coded in C#.
Background: APT actors have adapted Quasar and created modified minor (22.214.171.124) and major (126.96.36.199 and 188.8.131.52) versions. Since the re-engineering Quasar client will be mimics a Mozilla Firefox 48 browser running on Windows 8.1 or mimics an Apple Safari 7.0.3 browser running on Mac OS X 10.9.3 in order to evade IDS monitoring. However there are way lets security operation center find their fingerprint. The distinctive first 4 bytes of the payload can be used to identify Quasar traffic.
As a result, below analytic way can be enforce the detective control:
Signature 1: TCP Payload Size Tracking
Signature 2: IP Lookup User-Agent String, HyperText Transfer Protocol Header Host, and HyperText Transfer Protocol Header URI
Signature 3: Hidden HTTP Request User-Agent String and Time-to-Live
More details can be found below url: https://unit42.paloaltonetworks.com/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/
3 thoughts on “Analysis Reports by US Homeland Security – Legitimate open source remote administration tool re-engineer by threat actor as APT way of attack – Dec 2018”
It’s a pity you don’t have a donate button! I’d most certainly donate to this superb blog! I suppose for now i’ll settle for book-marking and adding your RSS feed to my Google account. I look forward to new updates and will talk about this website with my Facebook group. Talk soon!|
I’m not sure exactly why but this blog is loading very slow for me. Is anyone else having this issue or is it a issue on my end? I’ll check back later on and see if the problem still exists.|
This post is truly a nice one it helps new internet users, who are wishing for blogging.
Comments are closed.