Quasar Rat Analysis - Identification of 64 Quasar Servers Using Shodan and Censys

This analysis will cover the extraction of Quasar configuration via Dnspy. We'll then use this information to pivot to additional servers utilising Shodan and Censys. In total, 64 additional servers will be identified.

A full list of the 64 Quasar servers can be found at the end of this post.

An overview of this post

Obtaining the initial sample
Overview of the unpacking process
Locating and extracting Quasar configuration using Dnspy
Analysis of Quasar Configuration
Building Shodan Queries
Analysis of identified servers
Cross-referencing detection rates with VirusTotal
Identifying additional servers using Censys
Complete list of identified servers.

Sample

The malware sample was obtained from Malware Bazaar and is available here.

SHA256:78eb982abdfb385ac2e0c9a640856077379355f16e29788456a6551c166b00fe

the

I'll leave the bulk of Quasar unpacking for another post. This is a high-level summary of the process that I used.

Unzip the file using the password infected
Identify high-entropy using detect-it-easy
Check strings and observe multiple references to ZwWriteVirtualMemory and InstallUtil.exe
Assume entropy=Loader,
Assume InstallUtil.exe = Injection Target
Execute malware inside the Virtual Machine
Utilise Process Hacker to observe new spawns of installutil.exe
Use Process Hacker to observe .NET assemblies loaded into Installutil.exe
Utilising DnSpy to dump .NET assemblies. Obtain Quasar RAT.
Load Quasar into Dnspy. Browse to Entry Point.
Observe the config initialization function. Set breakpoints and create a watch window.
Obtain Configuration.

Extracting Configuration From Quasar Rat

Following the steps above will identify the following code. Portions of the code have been renamed for readability.

Each of the GClass65.string_8 values reference a value that has been encrypted using AES and then encoded using base64.

The AES decryption code can be seen below.

As well as a reference to additional base64 encoding, on top of the initial AES encryption.

By setting appropriate breakpoints and watch windows. The configuration can be obtained with minimal analysis of the encryption.

Analysis of the Quasar Configuration

The most interesting components of the configuration are the (likely) c2 of 217.196[.]96.37:5678 , as well as the x509 Certificate used for SSL/TLS communications.

An x509 certificate forms part of the public-key component of TLS communications performed between a client and server. The certificate contains valuable information about who is "endorsing" the communications, and who exactly is being endorsed

There are some detailed writeups with much better explanations from Sectigo and Wikipedia.

Typically I have ignored x509 certificates. But today will be a little bit different.

The x509 certificate contains a subject and issuer value of Quasar Server CA.

Of particular note is that the x509 certificate was initially encrypted by the malware. This is an indication that it contains something valuable that could hinder the malware if revealed and appropriately analysed.

Generally, I would stop my analysis here as the C2 was successfully found.

Today I will take this one step further, based on some infrastructure-hunting posts from @MichalKoczwara .

You can find such posts here and here.

How to Build a Shodan Query for Quasar

To take my analysis further, I decided to utilise the issuer information of Quasar Server CA to identify additional Quasar servers.

Shodan.io was my first choice for this investigation.

To utilise the information, I first had to build a valid query for Shodan. This was able to be done using filters list from the main shodan.io site.

The filter ssl.cert.subject.cn seemed the most appropriate. ssl.cert.issuer.cn would also work well and produce the same results in my analysis.

This resulted in an initial query of ssl.cert.subject.cn:"Quasar Server CA"

This query revealed 15 servers running with the subject common name of Quasar Server CA

These 15 servers were geographically dispersed and primarily across China, Hong Kong and Germany. The ports used also vary and include 1337.

Expanding the search to hone in on port 1337.

The second server of 164.92[.]184.73 had 0/86 detections on VirusTotal. The other had only 1/87 as of 2023/05/15. More information on VT detection can be found later in this article.

The servers are mostly running on cloud hosting providers. Including Hetzner, DigitalOcean and China Unicom.

China Unicom is pretty interesting.

Another overview of the countries can be seen here.

Exporting the Full list

The rest of the shodan.io data was not extremely interesting and the associated jarm/ja3s values did not reveal much.

So I decided to export the list of servers and check the rest against VirusTotal.

A full list of the servers can be seen here.

2[.]133[.]130[.]23
27[.]11[.]235[.]246
42[.]192[.]132[.]19
43[.]240[.]48[.]46
43[.]244[.]89[.]152
45[.]32[.]106[.]94
49[.]12[.]46[.]139
59[.]26[.]93[.]6
80[.]168[.]201[.]195
81[.]19[.]141[.]35
102[.]116[.]6[.]203
139[.]46[.]12[.]49
144[.]168[.]46[.]50
152[.]89[.]244[.]43
164[.]92[.]184[.]73
180[.]235[.]137[.]45
195[.]201[.]168[.]80
198[.]244[.]160[.]119

Analysing Detections Using Virustotal

Viewing the servers within VirusTotal, we can again see one of the servers running port 1337 has 0/86 detection.

The other Quasar server running 1337 has only 1/87 detections.

In total, there were 9 servers with 0 detections as of 2023-05-15. A few of these are listed below.

Full List of VirusTotal Detections

This is a full list of the detection rates as of 2023-05-15.

2.133.130.23 - VT 3/87
27.11.235.246 - VT 0/86
42.192.132.19 - VT 1/87
43.240.48.46 - VT 0/86
43.244.89.152 - VT 0/86
45.32.106.94 - VT 3/87
49.12.46.139 - VT 0/86
59.26.93.6 - VT 12/87
80.168.201.195 - VT 0/86
81.19.141.35 - VT 1/87
102.116.6.203 - VT 0/86
139.46.12.49 - VT 0/86
144.168.46.50 - VT 1/87
152.89.244.43 - VT 2/87
164.92.184.73 - VT 0/86
180.235.137.45 - VT 2/87
195.201.168.80 - VT 1/87
198.244.160.119 - VT 0/86

Bonus Analysis Using Censys

Using Censys I was able to identify another 46 servers. I have not checked these against VirusTotal. You are welcome to do so using the full list of servers at the end of this post.

services.tls.certificates.leaf_data.subject.common_name: "Quasar Server CA"

Conclusion

So it turns out malware analysis can get far more interesting beyond just C2 extraction. With minimal additional analysis, you can pivot to additional C2 infrastructure.

It's possible that some of these servers are not "malicious" per se, but I see no valid reason for using a Quasar certificate for communications. I'll assume they are all malware until notified otherwise.

Complete List of Quasar Infrastructure

The complete list of 64 Quasar servers.