Quasar RAT (also known as Quasar RAT, CinaRAT, Yggdrasil) is a C#/.NET-based remote access trojan active since 2014. Open-source .NET RAT. Key capabilities include: remote desktop, keylogger, file manager, registry editor, task manager, open-source, used by APT10/Gorgon.
Overview & Background
Open-source .NET RAT. First observed in 2014, Quasar RAT is attributed to Open source, APT use. The malware is written in C#/.NET and provides operators with comprehensive remote access capabilities.
Quasar RAT continues to be actively distributed and used in campaigns targeting organizations worldwide. Its capabilities include: remote desktop, keylogger, file manager, registry editor, task manager, open-source, used by APT10/Gorgon.
- Language: C#/.NET
- Active since: 2014
- Attribution: Open source, APT use
- Also known as: Quasar RAT, CinaRAT, Yggdrasil
Technical Capabilities
- Remote Desktop: Core Quasar RAT capability T1059
- Keylogger: Core Quasar RAT capability T1059
- File Manager: Core Quasar RAT capability T1059
- Registry Editor: Core Quasar RAT capability T1059
- Task Manager: Core Quasar RAT capability T1059
- Open-Source: Core Quasar RAT capability T1059
- Used By Apt10/Gorgon: Core Quasar RAT capability T1059
Distribution Methods
Quasar RAT is typically distributed through phishing emails with malicious attachments, cracked software downloads, and malvertising campaigns. Common delivery mechanisms include Office macros, ISO/IMG containers, and script-based downloaders.
- Phishing emails: Malicious attachments and links T1566.001
- Malvertising: SEO poisoning and malicious ads T1189
- Cracked software: Bundled with pirated applications
MITRE ATT&CK Mapping
| Tactic | Technique | Usage |
|---|---|---|
| Initial Access | T1566.001 Phishing Attachment | Malicious email attachments |
| Execution | T1204.002 Malicious File | User executes RAT payload |
| Persistence | T1547.001 Registry Run Keys | Autostart persistence |
| Defense Evasion | T1027 Obfuscated Files | Payload obfuscation |
| Credential Access | T1056.001 Keylogging | Keystroke capture |
| Collection | T1113 Screen Capture | Screenshot collection |
| Collection | T1125 Video Capture | Webcam access |
| C2 | T1071.001 Web Protocols | HTTP/HTTPS C2 communication |
Detection & Defense
- Endpoint detection: Monitor for C#/.NET processes with network connections from unusual locations
- Network monitoring: Detect C2 traffic patterns associated with Quasar RAT
- Email security: Block malicious attachments and links in phishing campaigns
- Application whitelisting: Restrict execution of unauthorized binaries
- YARA rules: Deploy detection signatures for known Quasar RAT variants
Protect Against Remote Access Trojans
Mjolnir Security provides comprehensive detection and response capabilities against Quasar RAT and similar RAT threats.
- RAT Detection & Removal Identify and remediate Quasar RAT infections including persistence mechanisms and lateral movement artifacts.
- Threat Intelligence Continuous monitoring for Quasar RAT campaigns and infrastructure targeting your organization.
- 24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.
Stay ahead of emerging threats. Get notified when we publish new intelligence reports and advisories.
Subscribe to Alerts