The Quasar RAT operators have also adopted the DLL sideloading technique to bypass security detections and breach Windows systems like other threat actors.
The DLL sideloading technique has become widely used among cybercriminals in the past few weeks. However, the new Quasar RAT campaign has utilised two Microsoft files (ctfmon.exe and calc.exe) to execute their malicious payloads discreetly.
The malicious operation begins with an ISO image file storing three components. The first one is a legitimate binary named ‘ctfmon.exe’, which is stealthily renamed as ‘eBill-997358806.exe’; the next one is a MsCtfMonitor.dll file called ‘monitor.ini’, and the third one is a malicious version of MsCtfMonitor.dll hidden within ‘ctfmon.exe’.
The infection process starts once the actors trigger the malicious DLL, hidden within ‘ctfmon.exe’, introducing the Quasar RAT payload into the targeted computer’s memory.
Once the Quasar RAT payload establishes persistence in the computer’s memory, it will employ a process hollowing technique, making detection significantly more challenging and further obscuring its malicious intent.
The Quasar RAT campaign is one of the latest threat campaigns that adopt the DLL sideloading strategy.
According to investigations, the Quasar RAT is not the only threat that adopted the resurging DLL sideloading concept. Grayling’s recently identified threat group has leveraged this tactic via SbieDll_Hook, loading various payloads like Cobalt Strike, NetSpy, and Havoc framework onto victims’ systems.
In another incident, a lesser-known Chinese threat actor, ToddyCat, employed DLL sideloading to operate malicious payloads against government and telecom firms in various Asian countries.
The sudden increase in usage of DLL sideloading as a stealthy malware delivery technique indicates that security providers and organisations should enhance their vigilance. Furthermore, organisations should treat all suspicious links, emails, or attachments with extreme caution, as these are common vectors for malware hidden using this approach.
Organisations must invest in advanced endpoint security solutions to identify and mitigate suspicious activities at their establishment, thus fortifying their defences against evolving cyber threats.
Experts emphasise the importance of constant vigilance to preserve the integrity of digital ecosystems, protect sensitive data, and avoid the current threat posed by the DLL sideloading campaigns.
