In this article, we will analyze a recent trend in financial software attacks where Quasar RAT is distributed via personal trading systems, specifically using home trading systems (HTS). We will also examine the IP addresses used in these attacks through threat hunting tools.
Threat Analysis of Home Trading System Exploitation
Home trading systems (HTS), used for personal trading, have been previously exploited to distribute Quasar RAT malware. According to the AhnLab Security Intelligence Center (ASEC), attackers have recently added new strategies to their Quasar RAT attacks via HTS. One notable change is the shift from NSIS to MSI file formats for initial distribution. This change is likely aimed at evading detection by enhanced security software.
ASEC’s analysis reveals that attackers distributed malware through an HTS program called HPlus. After the victim installs the HTS program and runs the desktop shortcut, an updater program named “Asset[.]exe” is executed. This program reads a “config[.]ini” file in the same directory and uses the FTP protocol to connect to an update server.
The attackers modified the “config[.]ini” file to connect to an FTP server hosting the malware, resulting in the download and installation of a compressed file containing Quasar RAT. The compressed file includes “StockProh[.]exe” and “Socketmanager240714[.]exe”, with the latter executing Quasar RAT to control the victim’s PC remotely.
Financial Data Theft and Remote Control via Quasar RAT Attack
This Quasar RAT distribution via HTS poses severe risks beyond financial loss, including the theft of personal data. When victims input sensitive information into the compromised HTS, attackers can easily steal this information. Additionally, the attackers can install AnyDesk under the guise of remote support, enabling them to remotely manipulate the victim’s system more precisely.
A primary reason for the success of such attacks is that individual investors often download and run HTS programs from third-party sources rather than official providers. Downloading software from unverified sources significantly increases the risk of malware infections. Through this attack, attackers can remotely access investors’ computers, steal investment information, and potentially take over the entire system to exfiltrate personal data.
Analyzing IP Addresses Used in Quasar RAT Attacks with Threat Hunting Search Engine
The IP addresses used in the Quasar RAT attacks distributed via HTS are as follows:
- 43[.]201[.]97[.]239:24879
- 103[.]136[.]199[.]131:56001
These IP addresses are critical for threat analysis as they connect to servers controlled by attackers, facilitating remote control and further malware distribution. Blocking or adding these IP addresses to filtering lists as preventive measures can be highly effective.
Criminal IP Report for 43[.]201[.]97[.]239
![Quasar RAT attack IP address 43[.]201[.]97[.]239 found using the threat hunting tool, Criminal IP Home Trading System](https://i0.wp.com/blog.criminalip.io/wp-content/uploads/2024/08/%ED%99%88-%ED%8A%B8%EB%A0%88%EC%9D%B4%EB%94%A9-%EC%8B%9C%EC%8A%A4%ED%85%9C-Quasar-RAT_4.jpg?resize=798%2C470&ssl=1)
Using the Criminal IP threat hunting tool, we analyzed IP address 43[.]201[.]97[.]239, which is classified under AWS cloud services.
Multiple ports were observed to be open, including 445, 47001, 5357, 3389, and 1434. Port 3389, commonly used for Remote Desktop Protocol (RDP), suggests the possibility of remote control by attackers.
Criminal IP Report for 103[.]136[.]199[.]131
![Quasar RAT attack IP address 103[.]136[.]199[.]131 found using the threat hunting tool, Criminal IP Home Trading System](https://i0.wp.com/blog.criminalip.io/wp-content/uploads/2024/08/%ED%99%88-%ED%8A%B8%EB%A0%88%EC%9D%B4%EB%94%A9-%EC%8B%9C%EC%8A%A4%ED%85%9C-Quasar-RAT_5.jpg?resize=773%2C456&ssl=1)
Another attack IP address, 103[.]136[.]199[.]131, also showed multiple services running, including Microsoft-HTTPAPI 2.0, Microsoft SQL Server 14.0.1000.169, and unknown applications on ports 5985, 1434, 3389, and 47001. Port 3389 had a TLS certificate detected with the common name WIN-CP12DBDKONT.
This IP address has been previously associated with C2 (Command and Control servers) and MISP (Malware Information Sharing Platform) activities, recorded on July 19, 2024, and December 25, 2022. Updating malicious IP address blocklists based on this historical activity is advisable.
TTPs and MITRE ATT&CK Techniques Used in Quasar RAT Attack
The techniques and procedures used in the Quasar RAT attack via HTS include:
- Application Execution File Manipulation (MITRE ATT&CK ID: T1547.001): Attackers modified “Asset.exe” and “config.ini” to exploit the update function.
- Remote Control Software Installation (MITRE ATT&CK ID: T1219): Attackers installed AnyDesk to access the victim’s system under the pretext of remote support.
- Exploitation of the FTP Protocol (MITRE ATT&CK ID: T1071.002): Attackers used FTP to download and install malicious files.
- Use of Compressed Files (MITRE ATT&CK ID: T1560.001): Attackers distributed malware in compressed form to evade detection.
- Communication with C2 Servers (MITRE ATT&CK ID: T1071): Attackers operated C2 servers via specific IP addresses to control the victims’ systems and execute additional commands.
The HTS program used in this attack has been exploited by attackers, indicating a recurring use of known software and attack methods. Legitimate financial institutions do not distribute HTS via messengers; therefore, users must only download and install HTS from official websites to prevent potential attacks.
For further reading, refer to the article Open-Source Supply Chain Attacks: Case Studies of Malicious NuGet and npm Packages.
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP(https://www.criminalip.io/)
Related Articles: