Quasar RAT, an open-source remote access trojan, has been spotted using DLL side-loading to fly under the radar and surreptitiously suck data from compromised Windows computers. “This technique capitalizes on the inherent trust these files command within the Windows environment,” Uptycs researchers Tejaswini Sandapolla and Karthickkumar Kathiresan said in a study published last week, describing the malware’s use of ctfmon.exe and calc.exe as part of the assault chain.
Quasar RAT, also known as CinaRAT or Yggdrasil, is a C#-based remote administration tool that can collect system information, a list of running apps, files, keys trokes, screenshots, and execute arbitrary shell commands. Many threat actors use DLL side-loading to execute their own payloads by inserting a faked DLL.