{ "id": "7716bec4-92cb-4b85-bc29-3e7e7650fe31", "created_at": "2026-04-06T00:08:30.072526Z", "updated_at": "2026-04-10T03:38:03.372583Z", "deleted_at": null, "sha1_hash": "a4647ed4280e38c131c19afd52fdac7ce1ecf445", "title": "Downeks and Quasar RAT Used in Recent Targeted Attacks Against Governments", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1025076, "plain_text": "Downeks and Quasar RAT Used in Recent Targeted Attacks\r\nAgainst Governments\r\nBy Mashav Sapir, Tomer Bar, Netanel Rimer, Taras Malivanchuk, Yaron Samuel, Simon Conant\r\nPublished: 2017-01-30 · Archived: 2026-04-05 20:22:15 UTC\r\nPalo Alto Networks Traps Advanced Endpoint Protection recently prevented recent attacks that we believe are part\r\nof a campaign linked to DustySky. DustySky is a campaign which others have attributed to the Gaza Cybergang\r\ngroup, a group that targets government interests in the region.\r\nThis report shares our researchers’ analysis of the attack and Remote Access Tool (RAT). We also discovered\r\nduring our research that the RAT Server used by this attacker is itself vulnerable to remote attack, a double-edged\r\nsword for these attackers.\r\nAttack\r\nThe initial infection vector in this attack is not clear, but it results in installing the “Downeks” downloader, which\r\nin turn infects the victim computer with the “Quasar” RAT.\r\nDowneks uses third party websites to determine the external IP of the victim machine, possibly to determine\r\nvictim location with GeoIP. It also drops decoy documents in an attempt to camouflage the attack.\r\nQuasar is a .NET Framework-based open-source RAT. The attackers invested significant effort in attempting to\r\nhide the tool by changing the source code of the RAT and the RAT server, and by using an obfuscator and packer.\r\nDetection\r\nUnit 42 researchers observed the Quasar RAT being prevented from executing on a Traps-protected client in\r\nSeptember 2016. We observed these Quasar samples:\r\nFile Name:  f-secure.exe\r\nSHA256: 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f\r\nNote: connects to hnoor.newphoneapp[.]com\r\nFile Name:  HD_Audio.exe\r\nSHA256: 0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a\r\nNote: connects to manual.newphoneapp[.]com\r\nFile Name: HD_Audio.exe\r\nSHA256: 86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806\r\nNote:  crashes upon execution\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 1 of 27\n\nFile Name: sim.exe\r\nSHA256: 723108103ccb4c166ad9cdff350de6a898489f1dac7eeab23c52cd48b9256a42\r\nNote: connects to hnoor.newphoneapp[.]com\r\nFurther research found other Quasar examples, an attack earlier in the month 2016 on the same target:\r\nSHA256: 1ac624aaf6bbc2e3b966182888411f92797bd30b6fcce9f8a97648e64f13506f\r\nWe found the same Quasar code in an additional attack on the same day, but upon a different target. A second\r\nQuasar sample was also observed attacking this new victim:\r\nSHA256: 99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f\r\nWe do not have detailed visibility into the specific host attacked, and have not been able to reproduce the second\r\nstage of the attack in our lab. However, based upon the timeframe of subsequent telemetry we observe, we\r\nunderstand the attack chain as follows:\r\n1. The initial dropper (which varies across attacks) is delivered to the victim via email or web:\r\nFile Name: Joint Ministerial Council between the GCC and the EU Council.exe\"\r\nSHA256: 0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa\r\n2. The initial dropper, upon execution, extracts an embedded Downeks instance:\r\nFile Name: ati.exe\r\nSHA256: f19bc664558177b7269f52edcec74ecdb38ed2ab9e706b68d9cbb3a53c243dec\r\n3. Downeks makes a POST request to dw.downloadtesting[.]com, resulting in the installation of the Quasar\r\nRAT on the victim machine.\r\n4. Additional Downeks downloaders connecting to the previously-observed server dw.downloadtesting[.]com\r\nwere also found in this attack:\r\nSHA256: 15abd32342e87455b73f1e2ecf9ab10331600eb4eae54e1dfc25ba2f9d8c2e8a\r\nSHA256: 9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740\r\nFurther research identified dozens of Dowenks and Quasar samples related to these attackers. All included decoy\r\ndocuments written in Arabic (all related to Middle Eastern politics) or Hebrew. Most of them use the same mutex\r\nstructure, share the same fake icon and unique metadata details, file writes, registry operations, and fake common\r\nprogram metadata, as seen in DustySky samples.\r\nThe Downeks downloader and Quasar C2 infrastructures are each self-contained and independent of each other.\r\nHowever, we did find a single shared IP address demonstrably connecting the Downeks downloader and Quasar\r\nC2 infrastructure s. The below chart (Figure 1) shows Quasar infrastructure (top), Downeks (bottom), and the\r\nshared IP link.\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 2 of 27\n\nFigure 1- Quasar and Downeks\r\nCharting the samples and infrastructure clearly shows the separate Downeks campaigns, and infrastructure links\r\n(Figure 2):\r\nFigure 2- Infrastructure Patterns and Connections\r\nIn Figure 2, top-right (green) has the Quasar infrastructure (Figure 3), with a link to the Downeks infrastructure.\r\nLeft (yellow) is DustySky infrastructure (Figure 4) and the links to this Downeks campaign. As well as similarities\r\nin the code, decoys and targets, we also identified C2 infrastructure links between DustySky and this campaign.\r\nThe remainder is sub-campaigns of Downeks samples, their infrastructure, their links – and a favored ISP (center)\r\n(Figure 5).\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 3 of 27\n\nThe timing of the attacks is commensurate with the Middle-Eastern working week (Figure 6):\r\nFigure 6- Attacks by day-of-the-week\r\nThe sample build days-of-the-week follow an almost identical pattern (Figure 7):\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 4 of 27\n\nFigure 7- Builds by day-of-the-week\r\nWe saw five samples built on the same date in December 2015, and six on the same date in January, further\r\nsolidifying the link between each sample.\r\nQuasar\r\nWe analyzed a Quasar sample we found that was communicating with an active C2 server at the time of analysis:\r\nSHA256: 4393ff391396cdfd229517dd98aa7faecad04da479fe8ca322f035ceee363273\r\nQuasar is a publicly-available commodity RAT, an evolution of his earlier xRAT, by German developer\r\n“MaxXor”. This sample is a modified version of Quasar, most likely forked from open source version 1.2.0.0 on\r\nGitHub. The client was likely built using the Quasar server client builder. We observed the following\r\ncustomizations:\r\nC2 server:\r\napp.progsupdate[.]com, which resolved to 185.141.25[.]68), over port 4664.\r\nQuasar mutex name:\r\nVMFvdCsC7RFqerZinfV0sxJFo\r\nKeylogger log location:\r\nUsers\\hJTQwqwwSCkZU\\AppData\\Roaming\\GoogleDesktop\\\u003cdate\u003e\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 5 of 27\n\nThe malware uses fake version information to appear as a Microsoft update program, as well as Google Desktop\r\nonce unpacked.\r\nPacker\r\nThis sample is packed by “Netz”, a simple .NET Framework packer which stores the original executable\r\ncompressed (zlib) as a resource. At runtime, the packer decompresses the resource and uses Reflection to load the\r\nassembly, find its Entry point, and Invoke it. Extracting the payload is straight forward – we simply dump the\r\nresource and decompress it. After decompilation, the packer looks like this:\r\npublic static int Main(string[] args) {\r\ntry {\r\nNetzStarter.InitXR();\r\nAppDomain.CurrentDomain.AssemblyResolve += new\r\nResolveEventHandler(NetzStarter.NetzResolveEventHandler);\r\nreturn NetzStarter.StartApp(args);\r\nFind the resource and call InvokeApp:\r\npublic static int StartApp(string[] args) {\r\nbyte[] resource = NetzStarter.GetResource(\"A6C24BF5-3690-4982-887E-http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 6 of 27\n\n11E1B159B249\");\r\nreturn NetzStarter.InvokeApp(NetzStarter.GetAssembly(resource), args);\r\nGet the assembly object by decompressing the resource and loading it with Reflection:\r\nprivate static Assembly GetAssembly(byte[] data) {\r\nMemoryStream memoryStream = (MemoryStream) null;\r\nmemoryStream = NetzStarter.UnZip(data);\r\nmemoryStream.Seek(0L, SeekOrigin.Begin);\r\nreturn Assembly.Load(memoryStream.ToArray());\r\n} \r\nAnd finally, find the entry point and invoke it:\r\nprivate static int InvokeApp(Assembly assembly, string[] args) {\r\nMethodInfo entryPoint = assembly.EntryPoint;\r\nParameterInfo[] parameters1 = entryPoint.GetParameters();\r\nobject[] parameters2 = (object[]) null;\r\nif (parameters1 != null \u0026\u0026 parameters1.Length \u003e 0)\r\nparameters2 = new object[1]{ (object) args };\r\nobject obj = entryPoint.Invoke((object) null, parameters2);\r\nExtracting produces:\r\nSHA256: c931de65d9655a772d23e4227a627a1140d8d3c4912ca71c324421b13efa1a02\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 7 of 27\n\nThis layer uses obfuscation in an attempt to avoid detection/analysis.\r\nObfuscation\r\nWe discovered that the sample was obfuscated using .NET reactor. It is possible to decompile the deobfuscated\r\nsample and retrieve most of the original source code but not enough to compile it easily.\r\nAfter deobfuscation we extracted:\r\nSHA256: d773b12894d4a0ffb0df328e7e1aa4a7112455e88945a10471650e503eecdb3d\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 8 of 27\n\nQuasar Code\r\nAfter decompiling the sample, we were able to document the modifications from the open-source Quasar.\r\nSettings\r\nThe configuration of Quasar is stored in the Settings object, which is encrypted with a password which is itself\r\nstored unencrypted.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\npublic static class Settings {\r\npublic static string VERSION;\r\npublic static string HOSTS;\r\npublic static int RECONNECTDELAY;\r\npublic static string PASSWORD;          // password for encryption of communication\r\npublic static Environment.SpecialFolder SPECIALFOLDER;\r\npublic static string DIR;\r\npublic static string SUBFOLDER;\r\npublic static string INSTALLNAME;\r\npublic static bool INSTALL;\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 9 of 27\n\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\npublic static bool STARTUP;\r\npublic static string MUTEX;\r\npublic static string STARTUPKEY;\r\npublic static bool HIDEFILE;\r\npublic static bool ENABLELOGGER;\r\npublic static string ENCRYPTIONKEY;     // Encryption password of the settings\r\npublic static string TAG;\r\npublic static string LOGDIRECTORYNAME;\r\npublic static bool HIDELOGDIRECTORY;\r\npublic static bool ISCHECKIP;\r\npublic static int INSTARTUPFOLDER;\r\nModifications:\r\nThe ISCHECKIP and INSTARTUPFOLDER are not found in open source Quasar samples.\r\nCryptography\r\nThe sample we analyzed is using RijndaelManaged with ECB mode and PKCS7 padding. The key is the SHA256\r\nhash of the hard-coded password. The password of the sample we analyzed is:\r\n“6y7u^Y\u0026U6y7u^Y\u0026U6y7u^Y\u0026U”\r\nAlthough at first glance this appears somewhat complex, it is in fact a rather simple, repeated keyboard sequence.\r\nWe observe similar keyboard patterns in other samples: “567%^\u0026”, “zxc!@#ASD”.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\npublic static void SetDefaultKey(string key) {\r\nbyte[] bytes = Encoding.UTF8.GetBytes(key);\r\nAES._defaultKey = SHA256.Create().ComputeHash(bytes);\r\nprivate static void EncDec(Stream src, Stream ds, bool encDec, byte[] key) {\r\nRijndaelManaged rijndaelManaged = new RijndaelManaged();\r\nrijndaelManaged.Key = key;\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 10 of 27\n\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\nrijndaelManaged.Mode = CipherMode.ECB;\r\nrijndaelManaged.Padding = PaddingMode.PKCS7;\r\nrijndaelManaged.BlockSize = AES.BlockSize * 8;\r\nif (encDec) {\r\nICryptoTransform encryptor = rijndaelManaged.CreateEncryptor();\r\nCryptoStream cryptoStream = new CryptoStream(ds, encryptor, CryptoStreamMode.Write);\r\nlong position = src.Position;\r\nAES.CopyTo(src, (Stream) cryptoStream, 8192);\r\ncryptoStream.FlushFinalBlock();\r\n} else {\r\nICryptoTransform decryptor = rijndaelManaged.CreateDecryptor();\r\nAES.CopyTo(new CryptoStream(src, decryptor, CryptoStreamMode.Read), ds, 8192);\r\n}\r\n}\r\nModifications:\r\nUses SHA256 instead of MD5 to create the key.\r\nUses RijndaelManaged instead of AES for encryption. (with ECB mode, which is considered weak).\r\nSerialization\r\nQuasar contains the NetSerializer library that handles serialization of high level IPacket objects that the client and\r\nserver use to communicate. The serialization assigns unique IDs for serializable objects types. The open source\r\nand several other samples we found give a dynamically-assigned 1 byte ID at compile time. The sample we\r\nanalyzed changed that behavior and hard-coded DWORD for each object type. This is a better implementation, as\r\nit allows servers and clients from different versions to communicate with each other to some extent.\r\nprivate static void initTypeMap() {\r\nExts.dict_0.Add(typeof (object), -737641570);\r\nExts.dict_0.Add(typeof (GetPasswordsResponse), -692037318);\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 11 of 27\n\nExts.dict_0.Add(typeof (List\u003cstring\u003e), 1046249082);\r\nExts.dict_0.Add(typeof (int), -118636331);\r\nExts.dict_0.Add(typeof (string[]), -2103720204);\r\nExts.dict_0.Add(typeof (string), 1236129805);\r\nVersion\r\nThe sample we analyzed is most likely forked from open source quasar 1.2.0.0. We find multiple file/object names\r\nhinting at the version, but must compelling:\r\nQuasar version 1.1.0.0 names the encryption module name space \"Encryption\", while subsequent Quasar\r\nversions use \"Cryptography\" – which we observe in this sample.\r\nQuasar version 1.3.0.0 changed the encryption key generation, and stopped saving the password in the\r\nsample. There are more indications as well, such as names of objects, files etc.\r\nOther samples we analyzed had different combinations of modification to cryptography and serialization.\r\nThe C2 server\r\nOur decompilation of the serialization library was not complete enough to allow simple recompilation. Instead, we\r\ndownloaded and compiled the 1.2.0.0 server of the open-source Quasar RAT, having determined that this seemed\r\nlikely the most similar version. The out-of-the-box server could not communicate with the client sample owing to\r\nthe previously documented modifications that we had observed. We incorporated those changes into our build,\r\ndiscovering that this worked for most sample versions with almost no further modification.\r\nBoth the client and the server use the same code to serialize and encrypt the communications. Instead of compiling\r\na different server for each client, our server uses the code from within the client to communicate with it. Using\r\nReflection, the server can load the assembly of the client to find the relevant functions and passwords.\r\nLoad the client assembly:\r\nprivate static System.Reflection.Assembly assembly =\r\nSystem.Reflection.Assembly.LoadFile(@\"C:\\Users\\user1\\Desktop\\Quasar\\ServerVersionLo\r\nadClient\\resource.bin.open.exe\");\r\nEncryption:\r\nRather straight forward, as the server version uses the same API as the sample client.\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 12 of 27\n\nGet the AES class:\r\nprivate static Type tAES = assembly.GetType(\"_.Cr.Crp.AES\");\r\nGetting the setDefKey, encrypt and decrypt methods:\r\nprivate static System.Reflection.MethodInfo[] mi = tAES.GetMethods();\r\nprivate static System.Reflection.MethodInfo setDefKey = mi[1]; // this one is used\r\nto set the current encryption key (IE sha256 of the password stored in Settings)\r\n//tAES.GetMethod(\"Encrypt\"); doesn’t work, because its ambiguous as it is overridden, so I choose the\r\nright ones directly\r\nprivate static System.Reflection.MethodInfo encMIBuf = mi[4];\r\nprivate static System.Reflection.MethodInfo decMIBuf = mi[6];\r\nReplace the server functions:\r\npublic static void SetDefaultKey(string key)\r\nwith\r\npublic static void setDefKey.Invoke(null, new object[] { key });\r\npublic static byte[] Encrypt(byte[] input)\r\nwith\r\npublic static byte[] encdata = (byte[])encMIBuf.Invoke(null, new object[] { input\r\n});\r\npublic static byte[] Decrypt(byte[] input)\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 13 of 27\n\nwith\r\npublic static byte[] data = (byte[])decMIBuf.Invoke(null, new object[] { input });\r\nSerialization:\r\nThis was more complex. Both the client and server uses the same API, but the client serializer cannot serialize\r\nserver objects, because they are not the same as their \"mirrored\" objects inside the client. In some cases these\r\nobjects are completely different, for example the server commands to get the file system.\r\nOur solution is to:\r\n1. Translate on the fly the objects the server send to mirrored matching client objects (will not work if client\r\ndoesn’t have this object, or renamed it).\r\n2. Copy the content from the server object into the new client object (will not work if client implementation is\r\ndifferent).\r\n3. Serialize the client object (which will be later encrypted and sent).\r\n4. Deserialize the decrypted response into another client response object.\r\n5. Translate the client response object into the server version of the client response object.\r\n6. Copy the contents from the client response object into the translated server object.\r\n7. Return the translated object.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\npublic static void SerializeWrapper(Stream stream, object data)\r\n{\r\nSystem.Reflection.Assembly assembly =\r\nSystem.Reflection.Assembly.LoadFile(@\"C:\\Users\\user1\\Desktop\\Quasar\\ServerVersionL\r\noadClient\\resource.bin.open.exe\");\r\nType serializerType = assembly.GetType(\"_.Cr.NetSerializer.Serializer\");\r\nSystem.Reflection.PropertyInfo serInstanceProp = serializerType.GetProperty(\"Instace\");\r\nobject serInstance = serInstanceProp.GetGetMethod().Invoke(null, new object[] { });\r\nSystem.Reflection.MethodInfo serializeMet = serializerType.GetMethod(\"Serialize\");\r\nType typeOfData = data.GetType(); string typeOfDataFullName = typeOfData.FullName;\r\nstring typeOfDataFullNameNew = typeOfDataFullName.Replace(\"xServer.Core\", \"_.Cr\");\r\nType packType = assembly.GetType(typeOfDataFullNameNew);\r\nobject pacTypeInstance = packType.GetConstructor(new Type[] { }).Invoke(new object[] { });\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 14 of 27\n\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n// now try to copy data into the instance\r\nforeach (FieldInfo fieldOfClient in packType.GetFields())\r\n{\r\nstring fieldName = fieldOfClient.Name;\r\nFieldInfo fieldOfServer = typeOfData.GetField(fieldName);\r\nPropertyInfo PropOfServer = typeOfData.GetProperty(fieldName);\r\nobject serverValue = null;\r\nif (fieldOfServer != null) {\r\nserverValue = fieldOfServer.GetValue(data);\r\n} else if (PropOfServer != null) {\r\nserverValue = PropOfServer.GetValue(data,null);\r\n} fieldOfClient.SetValue(pacTypeInstance, serverValue);\r\n}\r\nforeach (PropertyInfo fieldOfClient in packType.GetProperties())\r\n{\r\nstring fieldName = fieldOfClient.Name;\r\nFieldInfo fieldOfServer = typeOfData.GetField(fieldName);\r\nPropertyInfo PropOfServer = typeOfData.GetProperty(fieldName);\r\nobject serverValue = null;\r\nif (PropOfServer != null) {\r\nserverValue = PropOfServer.GetValue(data, null);\r\n}\r\nelse if (fieldOfServer != null) {\r\nserverValue = fieldOfServer.GetValue(data);\r\n}\r\nfieldOfClient.SetValue(pacTypeInstance, serverValue,null);\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 15 of 27\n\n39\r\n40\r\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\n50\r\n51\r\n52\r\n53\r\n54\r\n55\r\n56\r\n57\r\n58\r\n59\r\n60\r\n61\r\n62\r\n63\r\n64\r\n}\r\nserializeMet.Invoke(serInstance, new object[] { stream, pacTypeInstance });\r\n}\r\npublic static object DeserializeWrapper(Stream stream) {\r\nSystem.Reflection.Assembly assembly =\r\nSystem.Reflection.Assembly.LoadFile(@\"C:\\Users\\user1\\Desktop\\Quasar\\ServerVersionL\r\noadClient\\resource.bin.open.exe\");\r\nType serializerType = assembly.GetType(\"_.Cr.NetSerializer.Serializer\");\r\nSystem.Reflection.PropertyInfo serInstanceProp = serializerType.GetProperty(\"Instace\");\r\nobject serInstance = serInstanceProp.GetGetMethod().Invoke(null, new object[] { });\r\nSystem.Reflection.MethodInfo DeserializeMet = serializerType.GetMethod(\"Deserialize\");\r\nobject ob = DeserializeMet.Invoke(serInstance, new object[] { stream });\r\nType typeOfPacket = ob.GetType(); string typeOfPacketFullName = typeOfPacket.FullName;\r\nstring typeOfPacketFullNameNew = typeOfPacketFullName.Replace(\"_.Cr\", \"xServer.Core\");\r\nSystem.Reflection.Assembly currentAssembly = Assembly.GetExecutingAssembly();\r\nType packTypeServ = currentAssembly.GetType(typeOfPacketFullNameNew);\r\nobject pacTypeInstance = packTypeServ.GetConstructor(new Type[] { }).Invoke(new object[] { });\r\n// now try to copy data into the instance\r\nforeach (FieldInfo fi in typeOfPacket.GetFields()) {\r\nstring fieldName = fi.Name;\r\nFieldInfo fiServ = packTypeServ.GetField(fieldName);\r\nif (fiServ != null) {\r\nobject clientSentValue = fi.GetValue(ob);\r\nfiServ.SetValue(pacTypeInstance, clientSentValue);\r\n}\r\n}\r\nforeach (PropertyInfo fi in typeOfPacket.GetProperties()) {\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 16 of 27\n\n65\r\n66\r\n67\r\n68\r\n69\r\n70\r\n71\r\n72\r\n73\r\n74\r\n75\r\nstring fieldName = fi.Name;\r\nPropertyInfo fiServ = packTypeServ.GetProperty(fieldName);\r\nif (fiServ != null) {\r\nobject clientSentValue = fi.GetValue(ob,null);\r\nfiServ.SetValue(pacTypeInstance, clientSentValue,null);\r\n}\r\n}\r\nreturn pacTypeInstance;\r\n}\r\nCommunication\r\nOur sample communicates with app.progsupdate[.]com, which resolved to 185.141.25[.]68, over TCP port 4664.\r\nArchitecture\r\nThis is the communication architecture between quasar client and server (Figure 8):\r\nFigure 8- Communication Architecture\r\n1. The server sends a command. for example, “Get System Information”.\r\n2. The command is translated to an IPacket of type GetSystemInfo.\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 17 of 27\n\n3. The packet is serialized into a stream of bytes.\r\n4. The stream of bytes is encrypted (in some versions there is also optional compression step).\r\n5. The stream of bytes is sent over TCP to the client.\r\n6. The client receives and decrypts the packet.\r\n7. The client deserializes the packet into IPacket GetSystemInfo.\r\n8. The relevant handler of the client is called, collects the system information and sends it back inside IPacket\r\nof GetSystemInfoResponse.\r\nEach of these layers seems to be different to some extent in the various samples we found. The IPacket,\r\nSerialization and Encryption framework code is shared between the client and the server, therefore we can use it\r\nwith Reflection. However the Server handlers and command function are not, so we cannot create a completely\r\nperfect simulation.\r\nInitial handshake\r\nAfter the TCP handshake completes, the server starts another handshake with the client by sending packets in the\r\nfollowing order (Figure 9):\r\nFigure 9- Initial Handshake\r\nThe client returns data to the server about the victim computer, which is displayed in the server GUI (Figure 10):\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 18 of 27\n\nFigure 10- Quasar RAT Server GUI\r\nThe server and client then enter into a keep-alive mode, where the attacker can send commands to the client and\r\nreceive further responses.\r\nRAT commands\r\nThe attacker can issue commands (not all commands appear in different samples) through the Quasar server GUI\r\nfor each client:\r\nGet system information\r\nGet file system\r\nUpload / download / execute files\r\nStartup manager\r\nOpen task manager\r\nKill / start processes\r\nEdit registry\r\nReverse Proxy\r\nShutdown / restart the computer\r\nOpen remote desktop connection\r\nObserve the desktop and actions of active user\r\nIssue remote mouse clicks and keyboard strokes\r\nPassword stealing\r\nRetrieve Keylogger logs\r\nVisit website\r\nDisplay a message box\r\nOur server build was able to successfully execute most of the commands.\r\nThe file system commands underling handlers and IPacket were modified to support more features, so these\r\ncommands don’t work out of the box and required manual implementation from us.\r\nA Double-Edged Sword…\r\nWith further analysis of the Quasar RAT C2 Server, we uncovered vulnerabilities in the server code, which would\r\nallow remote code execution. This might allow a second attacker to install code of their choice – for example,\r\ntheir own Quasar RAT – on the original attacker’s server. We refer to this (somewhat ironic) technique as a\r\n“Double Edged Sword Attack”. We did not apply this to any live C2 servers – we only tested this with our own\r\nservers in our lab.\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 19 of 27\n\nIn the lab, we changed our Quasar RAT source code to use the known encryption key, and to send fake victim IP\r\naddress, City, Country code, Flag, and Username. The Quasar server does not verify the RAT data, and displays\r\nthis data in the RAT Server GUI when the RAT is executed and connects to the server. We found this could be\r\nused to supply compelling “victim data” to convince the attacker to connect to this “victim” via the GUI.\r\nQuasar server includes a File Manager window, allowing the attacker to select victim files, and trigger file\r\noperations – for example, uploading a file from victim machine to server. Uploaded files are written to the server\r\nsub directory “clients\\user_name@machine_name_ipaddress”.\r\nQuasar server does not verify that the size, filename, extension, or header of the uploaded file is the same as\r\nrequested. Therefore, if we convince the attacker to request the file “secret_info.doc (20KB)”, we can instead\r\nreturn to the server any file of our choice, of any size or type.\r\nWhen the Quasar server retrieves the name of the uploaded file from the victim, it does not verify that it is a valid\r\nfile path. Therefore sending the file path \"..\\..\\ secret_info.doc \" will result in writing our file instead to the same\r\ndirectory as the Quasar server code.\r\nQuasar server does not even verify that a file was requested from the victim. Immediately when the File Manager\r\nwindow is opened by the attacker, the Quasar server sends two commands to the RAT: GetDrives and listDirectory\r\n(to populate the list of the victim’s files in the RAT Server GUI). We can respond to those commands by instead\r\nsending two files of our choice to the Quasar server. Again, we control the content of the file, the size and the path\r\nand filename.\r\nQuasar is a .NET Framework assembly, loading multiple DLLs upon launch, for example “dnsapi.dll”. Quasar\r\nserver is vulnerable to a simple DLL hijacking attack, by using this technique to replace server DLLs.\r\nWhen the attacker restarts the Quasar application, our uploaded “dnsapi.dll” will instead be loaded. Through this\r\nvector, we could drop our own Quasar client on the attacker’s server and execute it. Our Quasar RAT will connect\r\nto our own (secured, of course) Quasar server, allowing us to control that attacker’s server with his own RAT. We\r\ncan also replace “shfolder.dll” (and add a DLL export proxy to avoid a crash), which is loaded whenever the\r\nattacker clicks the builder tab – allowing us to infect the server while it runs, without the need to wait for\r\napplication restart.\r\nDowneks\r\nAlthough Downeks has been publicly examined to some extent, our analysis found several features not previously\r\ndescribed.\r\nEarlier Downeks samples were all written in native code. However, among our Downeks samples, we found new\r\nversions apparently written in .NET. We observe many behavioral similarities and unique strings across both the\r\nnative-Downeks versions, and the new .NET Downeks versions. Almost all of the strings and behaviors we\r\ndescribe in this analysis of a .NET version are also present in the native version.\r\nWe observed these samples deployed only against Hebrew-speaking targets.\r\nDowneks.NET – “SharpDownloader”\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 20 of 27\n\nDowneks .NET internal name is “SharpDownloader”, “Sharp” may be a reference to the language it was written in\r\n– C#.\r\nAs seen in previous Downeks versions, it uses masquerades with icons, filenames and metadata imitating popular\r\nlegitimate applications such as VMware workstation (Figure 1) and CCleaner, or common file formats such as\r\nDOC and PDF.\r\nFigure 11 - Application metadata masquerading as VMWare Workstation\r\nAll 3 samples were compiled with the same timestamp. Downeks.NET is obfuscated using “Yano” and can be\r\neasily de-obfuscated using the de4dot utility.\r\nSHA256: 4dcf5bd2c7a5822831d9f22f46bd2369c4c9df17cc99eb29975b5e8ae7e88606\r\nSHA256: 905f6a62749ca6f0fd33345d6a8b1831d87e9fd1f81a59cd3add82643b367693\r\nSHA256: c885f09b10feb88d7d176fe1a01ed8b480deb42324d2bb825e96fe1408e2a35f\r\nCommunication\r\nDowneks is a backdoor with only very basic capabilities. It communicates with the C2 server using HTTP POST\r\nrequests.\r\nIt runs in an infinite loop, in each iteration it requests a command from the C2, and then it sleeps for a time period\r\nit receives in the C2 response (defaulting to 1 second if no sleep-time sent).\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 21 of 27\n\nThe data that is sent in the POST is serialized with json, which is then is encrypted, and finally encoded in base64.\r\nThe json format is typically {“mth”:”some_method”, “data”:”some_encrypted_data”}. The C2 server responds\r\nusing the same format and serialization/encryption/encoding.\r\nDownload and Execute\r\nAs described in earlier analyses, Downeks’ main purpose is as a downloader. Unfortunately, we were unable to get\r\nany C2 servers to issue download commands to any samples that we tested in our lab.\r\nThe download is initiated upon receiving json with a “download” command, which includes the URL of the file to\r\nbe downloaded. Downeks can also be instructed to execute binaries that already exist on the victim machine. After\r\nsuccessful execution, Downeks returns the results to the C2 server.\r\nDowneks also has a self-update capability, if instructed by the C2.\r\nScreen Capture\r\nDowneks can be instructed with the “img” command to capture the victim screen and transmit it back to the C2.\r\nThe parameters “wth” and “qlt” specify “width” and “quality”.\r\nAppdata\r\nDowneks .NET creates a file in the “Appdata” directory, based on certain properties of the machine. During our\r\nanalysis, Downeks created a file in “Appdata\\Roaming” containing only “SD{new line} 0” (“SD” possibly for\r\n“SharpDownloader”).\r\nAlthough this file itself is not particularly interesting, the older (native) Downeks versions also creates a file in\r\nAppdata\\Roaming, with identical data.\r\nThe filenames across the two variants bear striking similarities. The .NET variant creates\r\n“1FABFBFF0000065132F71D94”, while the native version creates “000206511FABFBFF”. We observed the\r\nstring “1FABFBFF0000065132F71D94” in memory during debugging of the native variant (Figure 12). This is a\r\npseudo-unique ID for each machine, based on install date taken from the registry, volume serial number, OS\r\nversion and service pack, Processor architecture, and computer name.\r\nFigure 12 - Machine ID in memory\r\nInstalled Antivirus check\r\nDowneks enumerates any antivirus products installed on the victim machine and transmits the list to the C2. It\r\nconstructs this list using the WMI query:\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 22 of 27\n\n“SELECT displayName FROM AntivirusProduct”\r\nPersistence\r\nDowneks achieves host persistence through either the registry “run” key or with a shortcut in the start-up folder.\r\nExternal IP\r\nIn another similarity between both variants, Dowenks assesses the victim’s external IP using an HTTP request to\r\nhttp://www.myexternalip.com/raw.\r\nOther commands\r\nDowneks can be instructed by the C2 to perform a few other commands:\r\nCheck if the computer name and user name, or external IP address, is in a provided list and if so, display a\r\nmessage box with a message as defined by the C2.\r\nKill any running process and attempt to delete the associated executable.\r\n“Setup” command – sends various info about the machine with each iteration of the C2 communications\r\nloop.\r\nEncryption keys\r\nDowneks has static encryption keys hardcoded in the code. These keys are initialized in the “Defaults” class\r\nconstructor, suggesting that the author of this malware has great affection for stackoverflow:\r\nstatic Defaults()\r\n{\r\n    ResEncKey = Strings.Get(0x1524);       // resolves to “$t2ck0v3rFl0w”\r\n    RarPass = Strings.Get(0x1539);         // resolves to “123456”\r\n    ServerTransKey = Strings.Get(0x1542);  // resolves to “P@$sw0rD$nd”\r\n    DataEncKey = Strings.Get(0x1553);      // resolves to “$t@k0v2rF10w”\r\n    ConnRequestKey = Strings.Get(0x1564);  // resolves to “1q@W3e$RQ!w2E#r4”\r\n}\r\nTypos\r\nWe observed some typos in the code, such as “responce” ( “response”) and “GroubID” (“GroupID”) in this\r\nversion.\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 23 of 27\n\nCoverage \u0026 IoCs\r\nPalo Alto Networks customers are protected from Downeks and Quasar used in this attack:\r\nWildFire properly classifies these Downeks and Quasar samples as malicious.\r\nTraps detects and blocks malicious behavior exhibited by new, unknown Quasar samples.\r\nC2 servers associated with this activity are blocked through Threat Prevention DNS signatures.\r\nAutoFocus customers can monitor this activity using the Downeks and QuasarRAT tags.\r\nA list of Indicators of Compromise can be found in Appendix C - IoCs.\r\nAppendix A - IoCs\r\nC2 Domains\r\ndownloadtesting.com\r\ngameoolines.com\r\nonlinesoft.space\r\nnewphoneapp.com\r\ngamestoplay.bid\r\nsmartsftp.pw\r\ngalaxysupdates.com\r\ngalaxy-s.com\r\ndatasamsung.com\r\nprogsupdate.com\r\ntopgamse.com\r\nbandtester.com\r\nspeedbind.com\r\nukgames.tech\r\nwallanews.publicvm.com\r\nwallanews.sytes.net\r\nnoredirecto.redirectme.net\r\ndynamicipaddress.linkpc.net\r\ndownloadlog.linkpc.net\r\nhavan.qhigh.com\r\nkolabdown.sytes.net\r\nrotter2.publicvm.com\r\nftpserverit.otzo.com\r\nwebfile.myq-see.com\r\ndownloadmyhost.zapto.org\r\nhelp2014.linkpc.net\r\nsafara.sytes.net\r\nexportball.servegame.org\r\nviewnet.better-than.tv\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 24 of 27\n\ndown.downloadoneyoutube.co.vu\r\nnetstreamag.publicvm.com\r\nhostgatero.ddns.net\r\nsubsidiaryohio.linkpc.net\r\nhelpyoume.linkpc.net\r\nQuasar \u0026 Downeks SHA256s\r\n3053e1e8df7e525ef98a77190cefce258aea365e2998425ecc8e139230680156\r\nf19bc664558177b7269f52edcec74ecdb38ed2ab9e706b68d9cbb3a53c243dec\r\n0d235478ae9cc87b7b907181ccd151b618d74955716ba2dbc40a74dc1cdfc4aa\r\n96c1346351a53c865afef5e087a8cbcf8e28d652fbc083a93399a8b94328d456\r\n15abd32342e87455b73f1e2ecf9ab10331600eb4eae54e1dfc25ba2f9d8c2e8a\r\nb66e5af52fd4d802f64788692b3eafe6b5ff61cea09c06a237a96b6cdb90b41a\r\n55a7ca1e5ed2d74c7eb6ab6a985c1d369157a91275f575967aefb7ddb3388e0c\r\n9a8d73cb7069832b9523c55224ae4153ea529ecc50392fef59da5b5d1db1c740\r\n39bdeaded0f919caa6697ae1ae4953de1c7afa79905939dbbd8c647a84f6cd07\r\n0e41c3611da6e3a2b0dd0d43b9ce0b3f3405472efa5760767719cc82692afb7b\r\nbc7c3f687d0589a4db53475bc65056a628b52aa27f84c1d76b9fe686d495df27\r\n0d1aa670df8ae1379d6997c9dc8b40c893ee395c3d45b84c2ad1732e86973143\r\n8ac7138215b2500d0737b483b9194419c0e0248014147e84f43b1e2b409184cf\r\n8ca99455d244fab2701beb5127f94745154e03ac1231a58f8bd2cd01732a341b\r\na149340f920888256902e28e4c5d8587fed3037682e875ed1fdf6a3213c50e92\r\n78aaed20914d3895708985aee089a464b31e11eb3b3e90b530dcebbe10e915ec\r\n704b19e0460a0fa7d952ba6feb5eadb9054895d1d753df72faf6f470446a0519\r\n118d0bd8ec35b925167c67217d2fe06ac021ce253f72d17f1093423b8f9b4a2b\r\n68ec3588735341566e9736b897aac06affb4a4808b05ceffb72384e77ea04b2c\r\nd3c710eaaf849598fa486823da42bdce03ea3c9421c3936e3330e98b34e4ef47\r\ne6e9f7b0449976537d9276192e5767c9909cd34df028a8bf1cac3dbe490f0e73\r\n75336b05443b94474434982fc53778d5e6e9e7fabaddae596af42a15fceb04e9\r\n4dcf5bd2c7a5822831d9f22f46bd2369c4c9df17cc99eb29975b5e8ae7e88606\r\nb8a3096a396c28462c0d168d97e28573e0e6d272bbc1dd2432e7effe098bd979\r\n905f6a62749ca6f0fd33345d6a8b1831d87e9fd1f81a59cd3add82643b367693\r\nc885f09b10feb88d7d176fe1a01ed8b480deb42324d2bb825e96fe1408e2a35f\r\n0c4aa50c95c990d5c5c55345626155b87625986881a2c066ce032af6871c426a\r\n1ac624aaf6bbc2e3b966182888411f92797bd30b6fcce9f8a97648e64f13506f\r\n1acffe68fcdc301b8ab7640eda75ff82788b2f93d869e421e28bacbba93b76d1\r\n723108103ccb4c166ad9cdff350de6a898489f1dac7eeab23c52cd48b9256a42\r\n99a7cb43fb2898810956b6137d803c8f97651e23f9f13e91887f188749bd5e8f\r\n86bd78b4c8c94c046d927fb29ae0b944bf2a8513a378b51b3977b77e59a52806\r\n3243292E46A198BD83E0DCE58258312852C99217187E6D5399066189FEB2677B\r\n9b8d8780454708b950459d43161097ac72f62ff349bc8f379b5b2216bc9ae935\r\n3619b12b11cda6e87644d3316355d99ee5fa5407aa8a8f107aa1058e33b19bf6\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 25 of 27\n\n0f8378603e269db16eb7eaca933b587c7de3e914c1d9afaaae688c410befb895\r\nd3066fa4a7a1ef38c753796479768b765c6903ef50c35352e29e79dcd49e4348\r\n39b991838653739eef482af6336fcf03922d7e9d88d17946b688a513dd2bfc34\r\n4393ff391396cdfd229517dd98aa7faecad04da479fe8ca322f035ceee363273\r\n759ae70b035c3bbb6699520db3a55f3947e6ba1b5ce639ec036e3096ee10b26d\r\n17942d9d76dafb64aa0d3ab53c9ee56e5d8bd4477440f06780b70dd4c02af8b8\r\nfea74bf9eed7363f97a09756b4652409cfcd7bbe023383805aec5da7de6310bd\r\nf5413c785770400215c3191ea887517b4380ec81be4e5bdc5aea12bf82f9105d\r\n8cdbea2aea51f73c68adc517eed533802e1f3b2a9ec0b0560b6bb8fc03ac3e4f\r\ndbdc72a7cfbf03599b95d8f1c47e157da34ea5d2f951cf5f49715e8caab58cd4\r\n65986f6f919e9152176a10ae3964fac130ae6195e189453d17306a225022774d\r\n91a4e395d57a52a85a2bda653a0ed796865e8af01c1345dff63469759448daf0\r\n53e82d01dd2502416ad49329e1224a7c4519182186e60f690ecd0cf266f5af5e\r\n575708d3eb23f8111b7174408f05caf6574c5d6782c750562bfb9abe48cb219e\r\nfefa0781e88fa215419b2a1294c8b952b192f8360aeab2f97bbd9cea15fc7338\r\nea16f0d55918752ad432d0da03a7e39ab9a8442b74ae0bbe724900605a9ba71f\r\n6f6414c8f8a800c769da1f6994cad25757a2928375803a498171db3395183b98\r\ndbeb3c262cc6eefea93846f817e8333ee541ec23d19ffef56a94585e519e6ff1\r\n2ddce8b010f011a04cf24dc8e5932ae13b463dd6a3cb9bf02ae835b04a70d042\r\n182c82100069834ad4a8dadee6874cfb612f0b9babc7cd3ee5d69f16440ad6d7\r\nf772463bafef5f45f675658eee43b6f56911a4f449afb0cc68ac068002a2f875\r\nb30e3dc47848666e71c1f13050a6502b2c2a7a542ee867d152ffb2dd186d7114\r\ne5e4895d2195e14a3a105f3ed73fd49493e9dbdd7dfc6f6616023473fa8f86c6\r\nf4eda40b3f1c77f8f9e02674d93214dd31c13080b034e37b26cc66d744500b1e\r\n95d9a2b664e3e5c1206d94241ded115643aa0452dd3fe3338363ff826260f40c\r\n575b84c2d3bceebfabb2deb289a230f52aca2c504aa854251c1e9057f3f0cf5a\r\n21f09c93325c03940c24d8bd6f33a1a4876bfd5feb8c8bac05b0a359255c0b42\r\n695821451be582d85cd8e42ce4446f131bd474e6c715bdf13fe8bac6de34b2e3\r\ne874deabb7953c2b9b5e67fc08297019bb0171c2fbdbe136b822cee4d43b72e5\r\n6a700aea23f7cb6907e464981a136b0fbfb5a48b910af2f9a44baf98d25f1722\r\nb6adae77a975058720e525a7f6d2451a01fedd3c6cab1515570d8490a8eb4f67\r\nd735c19fc9223e1bc4e625c1f47801d758426fbae89e5086bc56a8d6b1df2011\r\na66a27d801891e39d3819355366399fabbf2f05327ddb7c7b5d304fabeac7118\r\ncdf4ec8beb3f15d04b54165b53475aa03949a67f9cb1847a749b2fb44a3fe0a4\r\n0045c28ed2a9d98efb798ec59f34b6a3058838f933af7c0dae6482a0e86e37bf\r\n8814fec28ccac77456be73305b32ad5a266a4929203b2acf431759c90fe579bd\r\nf1b682808f1819f0e3d030fce1fd6b1ca95ad052b069e028cd9ed4afd81cd4d6\r\nf361974e6fd6a6d7cfbfafb28159c4f8e514fe6f399788be4daa2449767d5904\r\n11b1088ad962984f6df89ccc6bbc98bf220af952dec0b4622f8453a0a164cb65\r\nAacf24e288388431b30f8da765b4696975adc9cc0303d285abb05077eda21da2\r\n02bd710d3055076f86116d28427322c9cb623291c6c5a66c1932181fc6558586\r\n5e7d68c53212f6d467533f105d4a067682e28da47304a53c17b056d2b4404f0a\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 26 of 27\n\n3ff059a53e38f9fcd24e8d6bf008b4e14733db317857764cfcef736119ff26c9\r\ndcc04adf96045e7227a0e1f1d092919276b21035bcb3c5ed462650ef8d2e7aa3\r\n20e3d4c9223955495d00e72e2fedfe825e9fcda57696a255215895cfba490876\r\n6050d4c1efcf8242382293842313f3a93309f1e449197d98c60cec29090c6bff\r\n1d533ddaefc7859a3f6c6751114e895b7aa5935eb0ed68b01ec61aa8560ae3d9\r\n488ba22d6cb8c9b0310c58fa4c4739692cdf45676c3164b357314322542f9dff\r\n7eeeae1f2fc62653593c7ce254e9cf855905035c2e8f8c0588887cb8e99dd770\r\nd2d08bb2707b635617e5bab0fcd033b6f68a753dd2b3897adca1c627758e686b\r\nd30dbf17078a11c32dd23acea42335860e739c9f18bf0ed611132eef4d5cfcb6\r\n7c578dcdcefe78fb1dd51ac611f6450d9eb5be6c5f1e3363f460321a46be4a39\r\na40627acae6917787e92f9efa85739136c1670dcc5fe66695e105ddd72d7b80a\r\n5668470c92408f4b9f3a659005c2acca9da8df750cc491bffc88ef640474fa4a\r\nd735c19fc9223e1bc4e625c1f47801d758426fbae89e5086bc56a8d6b1df2011\r\n25e6bf67410dffb95c527c19dcff5223dbc3bf4c987650e45fbea1267072e8ff\r\nf53fd5389b09c6ad289736720e72392dd5f30a1f7822dbc8c7c2e2b655b4dad9\r\n2c2ae3f482d9db2541de0d855b5b12cd18028a94887f0c28acf1e2d6a4f3d4ac\r\na35e2b21f7f770debcffc79eb4834ec8881465df06cee41af705b6ea5d899978\r\na7aeeead233fcdfe1c7475db982497a82d8ae745ec1c58bd87215e8869c3f9e4\r\nf0e3562d0438695c7f3af0c280968cfc7134b484010d9ba2aceab944b441b127\r\nf5413c785770400215c3191ea887517b4380ec81be4e5bdc5aea12bf82f9105d\r\n29049e2c7671a7c4fc953cb76e539150cc7c80e1b83c19d0894dfa446ce5276e\r\n2eb7aa306551d693691d14558c5dc4f6d80ef8f69cf466149fbba23953c08f7f\r\ndbdc72a7cfbf03599b95d8f1c47e157da34ea5d2f951cf5f49715e8caab58cd4\r\nde3e25a69ba43b9f236e544ece7f2da82a4fafb4489ad2e263754d9b9d88bc5c\r\nbc846caa05939b085837057bc4b9303357602ece83dc1380191bddd1402d4a2b\r\n44b99603dde822b6b86577e64622e9a2f5b76b6d8bd23a3fe1b4d91b73d0230a\r\nbb24105295588d14c4509ec7374fbe6f7a4821cf4e9d9282754dd666ad7a7ea1\r\nSource: http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governme\r\nnts\r\nhttp://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments\r\nPage 27 of 27\n\nParameterInfo[] object[] parameters2 parameters1 = (object[]) = entryPoint.GetParameters(); null; \nif (parameters1 != null \u0026\u0026 parameters1.Length \u003e 0)\nparameters2 = new object[1]{ (object) args };\nobject obj = entryPoint.Invoke((object) null, parameters2);\nExtracting produces: \nSHA256: c931de65d9655a772d23e4227a627a1140d8d3c4912ca71c324421b13efa1a02 \n Page 7 of 27", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments" ], "report_names": [ "unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments" ], "threat_actors": [ { "id": "0c502f6d-640d-4e69-bfb8-328ba6540d4f", "created_at": "2022-10-25T15:50:23.756782Z", "updated_at": "2026-04-10T02:00:05.324924Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Molerats", "Operation Molerats", "Gaza Cybergang" ], "source_name": "MITRE:Molerats", "tools": [ "MoleNet", "DustySky", "DropBook", "SharpStage", "PoisonIvy" ], "source_id": "MITRE", "reports": null }, { "id": "e5cad6bf-fa91-4128-ba0d-2bf3ff3c6c6b", "created_at": "2025-08-07T02:03:24.53077Z", "updated_at": "2026-04-10T02:00:03.680525Z", "deleted_at": null, "main_name": "ALUMINUM SARATOGA", "aliases": [ "APT-C-23", "Arid Viper", "Desert Falcon", "Extreme Jackal ", "Gaza Cybergang", "Molerats ", "Operation DustySky ", "TA402" ], "source_name": "Secureworks:ALUMINUM SARATOGA", "tools": [ "BlackShades", "BrittleBush", "DarkComet", "LastConn", "Micropsia", "NimbleMamba", "PoisonIvy", "QuasarRAT", "XtremeRat" ], "source_id": "Secureworks", "reports": null }, { "id": "1162e0d4-b69c-423d-a4da-f3080d1d2b0c", "created_at": "2023-01-06T13:46:38.508262Z", "updated_at": "2026-04-10T02:00:03.006018Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "Gaza Cybergang", "Operation Molerats", "Extreme Jackal", "ALUMINUM SARATOGA", "G0021", "BLACKSTEM", "Gaza Hackers Team", "Gaza cybergang" ], "source_name": "MISPGALAXY:Molerats", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "847f600c-cf90-44c0-8b39-fb0d5adfcef4", "created_at": "2022-10-25T16:07:23.875541Z", "updated_at": "2026-04-10T02:00:04.768142Z", "deleted_at": null, "main_name": "Molerats", "aliases": [ "ATK 89", "Aluminum Saratoga", "Extreme Jackal", "G0021", "Gaza Cybergang", "Gaza Hackers Team", "Molerats", "Operation DustySky", "Operation DustySky Part 2", "Operation Molerats", "Operation Moonlight", "Operation SneakyPastes", "Operation TopHat", "TA402", "TAG-CT5" ], "source_name": "ETDA:Molerats", "tools": [ "BadPatch", "Bladabindi", "BrittleBush", "Chymine", "CinaRAT", "Darkmoon", "Downeks", "DropBook", "DustySky", "ExtRat", "Gen:Trojan.Heur.PT", "H-Worm", "H-Worm RAT", "Houdini", "Houdini RAT", "Hworm", "Iniduoh", "IronWind", "Jenxcus", "JhoneRAT", "Jorik", "KasperAgent", "Kognito", "LastConn", "Micropsia", "MoleNet", "Molerat Loader", "NeD Worm", "NimbleMamba", "Njw0rm", "Pierogi", "Poison Ivy", "Quasar RAT", "QuasarRAT", "SPIVY", "Scote", "SharpSploit", "SharpStage", "WSHRAT", "WelcomeChat", "Xtreme RAT", "XtremeRAT", "Yggdrasil", "dinihou", "dunihi", "njRAT", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434110, "ts_updated_at": 1775792283, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4647ed4280e38c131c19afd52fdac7ce1ecf445.pdf", "text": "https://archive.orkl.eu/a4647ed4280e38c131c19afd52fdac7ce1ecf445.txt", "img": "https://archive.orkl.eu/a4647ed4280e38c131c19afd52fdac7ce1ecf445.jpg" } }