QuasarRAT Malware Targets Government Institutions

Palo Alto Networks experts discovered that a hacker collective known as the Gaza Cybergang use the QuasarRAT against government institutions.

Gaza Cybergang Collective Uses QuasarRAT Malware In Dangerous Attacks

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Experts from Palo Alto Networks discovered a dangerous attack campaign that is currently ongoing against various government entities and institutions. The weapon of choice is the QuasarRAT malware which is an advanced open-source software. It is believe that the attack wave originates from the Gaza Cybergang, a well-known hacker collective that is also known under the aliases Gaza Hackers Team and Molerats. The group has been active since at least 2012 and it is believed that the hackers are run by the Palestinian group Hamas. Most of the targets are organizations in the Middle East, but victims have also been institutions located in Europe and the USA.

The security experts from Palo Alto Networks recently spotted a new campaign which has been dubbed as DustySky. It uses two separate pieces – the Downeks payload dropper and the QuasarRat malware which is a powerful remote access tool. The attack uses a modified version of the original malware code. The core program has the following features:

  • TCP network stream (IPv4 & IPv6 support)

  • Fast network serialization (NetSerializer)

  • Compressed (QuickLZ) & Encrypted (AES-128) communication

  • Multi-Threaded

  • UPnP Support

  • No-Ip.com Support

  • Visit Website (hidden & visible)

  • Show Messagebox

  • Task Manager

  • File Manager

  • Startup Manager

  • Remote Desktop

  • Remote Webcam

  • Remote Shell

  • Download & Execute

  • Upload & Execute

  • System Information

  • Computer Commands (Restart, Shutdown, Standby)

  • Keylogger (Unicode Support)

  • Reverse Proxy (SOCKS5)

  • Password Recovery (Common Browsers and FTP Clients)

  • Registry Editor

Upon infection the modified QuasarRAT malware is able to introduce several damaging actions to the infected hosts:

  1. QuasarRAT is able to retrieve files from the remote computer. This can be used to steal sensitive documents and since the attacks mainly target government institutions, we assume that the hacker collective are looking for secret documents or other types of sensitive data.

  2. The malware allows for full control of the infected system. It is able to kill or start system or application processes, capture passwords, log keystrokes and display message boxes. A remote desktop connection can be opened if the remote attackers want to obtain a direct connection to the hosts.

  3. The QuasarRAT malware makes it possible to open web sites. This option can be used in more complicated scenarios to imitate system action.

The Downeks component which is used as a payload downloader can capture screenshots. In addition it can scan the infected computer for the presence of any installed security solutions which might prevent the execution of the malware.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Was this content helpful?

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *