Quasar Rat Analysis - Identification of 64 Quasar Servers Using Shodan and Censys

Extraction of Quasar C2 configuration via Dnspy, and using this information to pivot to additional servers utilising Shodan and Censys. This analysis will cover the extraction of Quasar configuration via Dnspy.

This article covers the process of identifying 64 Quasar servers using Shodan and Censys. It begins with obtaining a malware sample from Malware Bazaar and unpacking it using a password. The malware is then executed in a virtual machine and the .NET assemblies are dumped using Dnspy. This allows the configuration to be extracted, which includes the C2 of 217.196[.]96.37:5678 and an x509 Certificate used for SSL/TLS communications.

Using the issuer information of Quasar Server CA, a query was built for Shodan.io which revealed 15 servers running with the subject common name of Quasar Server CA. These servers were geographically dispersed and primarily across China, Hong Kong and Germany. The ports used also vary, and include 1337. One of the servers running port 1337 had 0/86 detections on VirusTotal, while the other had only 1/87.

The full list of servers was exported and checked against VirusTotal. There were 9 servers with 0 detections as of 2023-05-15. Additionally, Censys was used to identify another 46 servers. This provided a comprehensive list of IP addresses and ports that can be used for various purposes, such as web servers, mail servers, database servers, and other services.

Overall, this article demonstrates how malware analysis can be used to pivot to additional C2 infrastructure. It also highlights the importance of analysing x509 certificates, as they can contain valuable information that can be used to identify additional servers. By using Shodan and Censys, the article was able to identify 64 Quasar servers, providing a comprehensive list of IP addresses and ports that can be used for various purposes. This list can be used to identify and connect devices on a network, allowing for further investigation and analysis.

The article provides a comprehensive overview of the process of identifying Quasar servers using Shodan and Censys. It also highlights the importance of analysing x509 certificates and provides a comprehensive list of IP addresses and ports that can be used for various purposes. This list can be used to identify and connect devices on a network, allowing for further investigation and analysis.

Overall, this article provides a comprehensive overview of the process of identifying Quasar servers using Shodan and Censys, as well as a comprehensive list of IP addresses and ports that can be used for various purposes. It also highlights the importance of analysing x509 certificates, as they can contain valuable

📓 Quasar Rat Analysis - Identification of 64 Quasar Servers Using Shodan and Censys

👉🏽 Extraction of Quasar C2 configuration via Dnspy, and using this information to pivot to additional servers utilising Shodan and Censys. This analysis will cover the extraction of Quasar configuration via Dnspy. information.

The article covers the process of identifying 64 Quasar servers using various techniques.

Obtaining a malware sample from Malware Bazaar and unpacking it using a password.

Executing the malware sample in a virtual machine and dumping the .NET assemblies.

Extracting the configuration, including the C2, using Dnspy.

Building a query for Shodan.io using the issuer information of Quasar Server CA.

Identifying 15 servers running with the subject common name of Quasar Server CA.

Using Censys to identify another 46 servers.

Exporting and checking the full list of servers against VirusTotal.

Demonstrating how malware analysis can be used to pivot to additional C2 infrastructure.

Providing a comprehensive list of IP addresses and ports that can be used for various purposes.

🔗 source link: https://embee-research.ghost.io/hunting-quasar-rat-shodan/

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/articles-and-reports/quasar-rat-analysis-identification-of-64-quasar-servers-using-shodan-and-censys

information.

#QuasarServers #MalwareAnalysis #Shodan #Censys #X509Certificates