Eye of Omniscience – Quasar RAT

The content of the article

• Installation and configuration
• Configuring the server
• Setting up the client
• Testing “Quasar”
• Remote administration
• Monitoring and working with a remote host
• Conclusion

Each of us had a favorite subject at school. Someone liked physics, someone biology, someone was most pleased with physical education – because of the opportunity to spy on the change in the women’s change room. Now for those who like to spy on something, the expanse has come thanks to the software, with which you can get access to a variety of information. One such software called Quasar RAT recently fell into my tenacious paws.

What is RAT? This particular tool is written for Windows, but it is freeware and open source, which definitely adds to its advantages over other similar software. You can download Quasar RAT from the project page on github.

The program is written in C# and is positioned by its developers as “an easy and convenient tool for remote administration, technical support and employee monitoring.” Quasar RAT has a client-server architecture traditional for Remote Assistance Tool and, despite its compactness, has a rather rich arsenal of features, including:

• remote desktop connection;
• remote shell and launch of executable files on command;
• remote registry editing;
• launching the file manager, task manager and boot manager;
• remote execution of shutdown and reboot commands;
• keylogging (with Unicode support);
• interception of passwords in browsers, FTP-clients and other programs;
• Reverse Proxy (SOCKS5).

Despite the presence of Quasar RAT in free access and a certain popularity (looking at the number of forks and the activity of the community), the software is documented, I would say, modestly. On the other hand, it is quite easy to use, and even an inexperienced user can figure it out. It just so happened that I suddenly needed a utility for remote control of one of the computers in my LAN. On the advice of my colleagues, I chose Quasar RAT as a tool. And since I had to deal with this program, it would be a sin not to share my impressions of its use with you. Let’s go!

INSTALLATION AND SETUP

The program is delivered in the form of an archive, inside which all the files necessary for its operation are located. Before unpacking the contents, you should disable antiviruses, otherwise they will happily remove the executable and the .bat file from the Quasar distribution kit. Also, to get started, you need to install .NET Framework 4.5.2 or a later version if it is not already installed on your system.

In order not to get confused, let’s immediately define that in Quasar terminology a machine is called a server where data is transferred from user computers, and a client is a PC that you are monitoring. The client is identified by the tag that you specify in the settings. It can be arbitrary. After installation on a remote machine, the client works autonomously, trying to connect to the server at specified intervals, either by IP address (IPv4 and IPv6 supported) or by DNS name. The general algorithm of actions is as follows: you need to start the server, specify the necessary settings, build the client application and upload it to the remote machine. It’s simple.

Configuring the server

After launching the Quasar.exe program, we will be prompted to create a certificate that will be used to establish a secure connection between the server and the client. If Quasar has already been used on your computer, you can import the existing certificate, otherwise the program will create a file quasar.p12, which is better to immediately hide in a secluded place. If you have to reinstall Quasar, without it will be impossible to connect to other machines running RAT, which threatens to lose all clients.

Click the Create button and then Save. Now feel free to run Quasar.exe and click Settings at the top of the window. By default, Quasar uses TCP port 4782 for communication, but you can choose any other free port instead by specifying it in the Port to listen on field. Then you will need to open this port in the firewall by configuring the appropriate rule.

All other parameters of the server settings have the following meanings:

• Enable IPv6 Support – enable support for the IPv6 protocol, if it is used in your network;
• Listen for new connections on startup – automatically start listening for new incoming connections from clients when the server starts;
• Show popup notification on new connection — display popup windows;
• Try to automatically forward the port (UPnP) — automatically forward the port supporting UPnP;
• Show tooltip on client with system information – show a tooltip with system information on remote client machines (it is better not to use this function for anonymity purposes).

Separately, it should be said about the Enable No-IP.com DNS updater function. If your network connection uses a dynamic IP, clients connecting from the Internet will inevitably have connection problems. You can solve them using the No-IP DDNS service, which allows you to create a hostname in DNS format and bind it to your machine. In my case, the client was located on my own local network, and I configured a static IP address on the server, disabling automatic obtaining IP via DHCP in the connection settings. If your clients are located on the Internet and you do not have an external static address, register at noip.com and enter your account data in the server settings window.

Create the client

To create a client application, click on the Builder label at the top of the program window. The builder window contains five tabs, which we will now quickly go over.

On the Basic Setting tab, you need to specify the Client Tag – this is a kind of ID by which the client machine will be identified. It is better to give it some meaningful name so that you do not get confused in the connections if there are several clients. The Mutex field displays a mutex that prevents multiple instances of a program from running on a client computer. You can leave it as it is. For greater secrecy, it is recommended to check the Enable unattended mode checkbox. It will allow you to control the client machine without attracting the user’s attention – in this case, no windows informing about the establishment of a connection to the server will be shown to him, and the Quasar icon will not appear in the tray.

On the Connection Settings tab, you need to specify the IP address or the name of the machine visible on the network where the server is deployed, the port for connection and the interval in milliseconds through which the client machine will try to establish or resume a connection. All this data will be hardcoded into the client program, and it will be impossible to change them later, so be careful.

The Installation Settings tab controls the client installation and startup options. The Quasar client application can be installed in three folders: AppData \ Roaming of the current user, Program Files or System – the latter two will require local administrator privileges from the user account. Select the appropriate option by checking the Install client checkbox.

Now you need to select the folder name for installing the application (Install subdirectory) and the name of the program itself (Install name). The Set file attributes to hidden and Set subdir attributes to hidden checkboxes can be used to assign the “hidden” attribute to this subdirectory and the client file after setting. In order not to invent ways to automatically launch a program on a client machine, select the Run Client when the computer starts checkbox and enter the client’s display name in the Startup Name field – it will be displayed in the autorun settings and in the process list on the remote PC.

The Assembly Settings tab allows you to customize the client assembly parameters such as the application name and manufacturer, copyright, version number, and add a customized icon. All this, as you know, is displayed in the properties of the installer, if someone curious wants to look there. That is, the client can be disguised as any other executable file – even a codec, Windows update, or a banal Adobe Flash Player.

If you want the client to perform the functions of a keylogger in addition to everything else, go to the Monitoring settings tab, check the Enable keyboard logging box, enter the name of the folder where the keylogger log will be saved, and make it hidden by checking the Set directory attributes to hidden checkbox.

You can now click the Build button and enter a name for the client file. It remains only to install it on a remote machine: my client executable file turned out to be very compact – only 502 KB.

TEST “QUASAR”

First, I tried to install the client on a test machine with Kaspersky Anti-Virus enabled. Of course, the trick did not work: it safely nailed the tool directly onto the USB flash drive, not allowing it to be copied to a computer or run. Unfortunately, adding the program to the exceptions did not help either: Kaspersky blocked the client from starting even when active protection was disabled, and then removed it, happily reporting that it had found an insidious and dangerous Trojan (and it catches it, apparently, heuristically).

You can, of course, cover the executable file with some kind of protector, but I was too lazy to mess around, so the only available option for me was to completely remove the antivirus on the client machine, which, in general, is not difficult if I have direct access to it. It is noteworthy that when the client installation file is launched, nothing happens at all: no windows or warnings appear on the screen, but the client is successfully copied to the folder specified during its build.

After rebooting the remote machine, start Quasar.exe on the server, click the Settings in the upper part of the window and click the Start Listening button. A window will appear on the screen asking you to add the port selected in the settings to the firewall rules. We agree – and in the list of remote hosts we see our target machine. The remote computer may disappear from the list if the user turns it off or disconnected from the network, and automatically reappears when the connection is turned on or restored.

All operations on a remote machine are performed by right-clicking on its identifier in the Quasar Server window.

Remote administration

All the main functions of remote administration are concentrated in the Administration context menu. Here you can find the following options for interacting with the client machine:

• System Information – displays detailed information about the hardware and software configuration of the remote computer;
• File Manager is a convenient windowed file manager, similar to Windows Explorer: it allows you to navigate the disks of a remote computer, download and upload files, launch them if they are executable, rename, delete, and add to startup;
• Startup manager – startup management utility: shows the current objects in startup and the registry branches responsible for them. To add a new object, right-click in the manager window and choose Add Entry;
• Task Manager – opens a window with a list of tasks running on a remote machine. Allows you to kill any of the running processes or start a new one;
• Remote Shell — уда­лен­ное выпол­нение команд в обо­лоч­ке cmd.exe;
• TCP Connections – Shows a list of TCP connections open on a remote host. Using the context menu, you can refresh the connection or close it;
• Reverse Proxy – brings up a reverse proxy on the client machine;
• Registry Editor — open window of remote registry editor;
• Remote execute – launch on the client PC of a local file or file from the Internet, the URL of which you specify in the window that opens;
• Actions is a command to shutdown, reboot or hibernate a remote machine.

Monitoring and working with a remote host

One of the most interesting features of Quasar RAT is remote desktop viewing. This function is available in Monitoring → Remote Desktop or User Support → Remote Desktop menu. In the upper part of the remote desktop window there is a regulator with which you can set the picture quality (the higher it is, the more traffic will be), and two buttons that allow you to enable or disable the transmission of control signals from your mouse and keyboard to the client machine. Click the Start button to connect to the remote desktop, and Stop if you want to terminate the session.

Monitoring → Password Recovery function allows you to extract all passwords saved in the user’s browser. The information is presented in the form of a plate with the site address and the saved password, you can copy it to a separate file, to the clipboard or erase it on a remote computer.

The Monitoring → Keylogger section stores the logs of the Quasar RAT keylogger. Tool saves logs as HTML files, each of them contains information about the application in which the input was performed, and a record of the keys pressed. The list of available logs is updated by clicking the Get Logs button in the upper left corner of the window.

The User Support context menu, in addition to one more remote desktop call button, contains the Show Messagebox items, with which you can show the user a dialog box with free text, and Send to Website – the URL you entered will open on the remote machine in the default browser. And if you check the Visit hidden checkbox, the user will not see anything, but the site will open in a hidden window, and his visit will remain in History.

Finally, the Client management context menu opens the following options for the remote administrator:

• Elevate Client Permissions – Quasar will try to elevate the system privileges of the client application on the remote machine (in this case, it will trigger UAC asking to confirm the launch of the script on the command line, so be careful);
• Update – a command to update a client: select a client file on the local machine or specify the URL of its location on the Internet, select a client in the list and click Execute Remotely;
• Reconnect – resume connection with the remote machine;
• Disconnect — suspend connection;
• Reinstall — remove the client.

CONCLUSION

“Quasar” is a very powerful and multifunctional tool for remote control, tracking user actions, as well as collecting information of interest to the administrator on a remote machine. The client executable is only a couple of hundred kilobytes in size, so it can be delivered to the target system in many different ways. As practice has shown, the application works quite quickly and stably.

The client part lives in the user’s Windows quietly and unnoticed, practically not consuming resources. The only serious drawback of this tool is that the client fires with antiviruses (at least Kaspersky Lab’s antivirus), which will require either disabling protection, or playing around with packers and protectors. And their use does not guarantee the “invisibility” of the utility for heuristic analyzers that track suspicious applications by their behavior. And the behavior of Quasar RAT, I must say, is very suspicious!

In other words, Quasar is a pretty good alternative to other remote administration utilities like TeamViewer, especially if you need to use it without causing unnecessary questions from the user. But how exactly this tool is used will remain on the user’s conscience. The main thing – do not forget about the responsibility that our legislation provides for the distribution of bad programs and pranks with unauthorized access to other people’s computers.