QuasarRAT

Volt Typhoon has obtained the victim's system current location.

The content repeatedly states that threat actors 'obtained,' 'acquired,' or 'used' publicly available, open-source, legitimate, or modified tools such as Mimikatz, Cobalt Strike, PsExec, Empire, Impacket, and many others.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Baobeilong (宝贝龙/”Baby Dragon”) also maintained a GitHub account that had forked both the Quasar and Trochilus RATs, two open-source tools historically used by STONE PANDA... Falcon Intelligence recently independently conducted detailed analysis of the RedLeaves malware... found it was directly sourced from Trochilus code

The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.

Therefore, using these stolen certificates, threat actors gain the advantage of making their programs look like legitimate NVIDIA programs and allowing malicious drivers to be loaded by Windows.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

To keep them under the antivirus radar, Nigerian actors techniques use "crypters" - software tools designed to encrypt, obfuscate, and modify malware.

During the 2016 Ukraine Electric Power Attack, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.

DarkGate queries system locale information during execution. Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.

Across the content, malware repeatedly 'adds Registry Run keys', 'creates Registry entries', 'modifies the Windows Registry', or 'overwrites registry keys' to maintain persistence.

Threat actors are using stolen NVIDIA code signing certificates to sign malware to appear trustworthy and allow malicious drivers to be loaded in Windows. | According to samples uploaded to the VirusTotal malware scanning service, the stolen certificates were used to sign various malware and hacking tools, such as Cobalt Strike beacons, Mimikatz, backdoors, and remote access trojans.

T1056.001 Agent Tesla, AsyncRAT, gh0st RAT, Lokibot, njRAT, PlugX, QuasarRAT, Remcos, XWorm

APT39 has used the Smartftp Password Decryptor tool to decrypt FTP passwords... DarkGate use Nirsoft Network Password Recovery or NetPass tools to steal stored RDP credentials... PoshC2 can decrypt passwords stored in the RDCMan configuration file... Volt Typhoon has attempted to obtain credentials from OpenSSH, realvnc, and PuTTY. | Agent Tesla has the ability to steal credentials from FTP clients and wireless profiles... APT33 has used a variety of publicly available tools like LaZagne to gather credentials... Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from the credential vault and DPAPI.

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.

Examples include 'TrickBot can identify the user and groups the user belongs to on a compromised host' and multiple entries checking whether the current user is an administrator or has elevated privileges.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

Examples include 'Caterpillar WebShell can obtain a list of user accounts from a victim's machine,' 'Woody RAT can retrieve a list of user accounts and usernames,' and 'APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.'

DarkGate queries system locale information during execution. Later versions of DarkGate query GetSystemDefaultLCID for locale information to determine if the malware is executing in Russian-speaking countries.

The content references repeated use of remote administration and remote execution tools such as PsExec, AnyDesk, Atera, ConnectWise, RemoteUtilities, SimpleHelp, PcShare, VNC, and commodity remote access tools.

T1056.001 Agent Tesla, AsyncRAT, gh0st RAT, Lokibot, njRAT, PlugX, QuasarRAT, Remcos, XWorm

Recorded Future tracks the creation and modification of new malicious infrastructure for a multitude of post-exploitation toolkits, custom malware, and open-source remote access trojans (RATs). We observed over 17,000 unique command-and-control (C2) servers during 2022...

The debug messages visible in the output show another unusual feature of the malware – the use of HEAD requests

the attackers became active on the compromised machine and proceeded to download the archiving tool WinRAR... attackers were observed downloading a custom .NET FTP tool... using Quasar RAT to download a second custom AutoIt FTP exfiltration tool known as FastUploader...

4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.

Scammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.