Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite
Dec. 16, 2024, 2:04 p.m.
Tags
External References
Description
Elastic Security Labs has uncovered a new intrusion set targeting Chinese-speaking regions, dubbed REF3864. The threat group employs a custom loader called SADBRIDGE to deploy GOSAR, a Golang-based reimplementation of the QUASAR backdoor. The infection chain involves trojanized MSI installers masquerading as legitimate software, utilizing DLL side-loading and injection techniques. GOSAR extends QUASAR's capabilities with additional information-gathering features, multi-OS support, and improved evasion tactics. The malware employs various persistence mechanisms and privilege escalation techniques, including UAC bypass and abuse of Windows Task Scheduler. GOSAR's functionalities include system information retrieval, screenshot capture, command execution, and keylogging, among others.
Date
Published: Dec. 16, 2024, 12:44 p.m.
Created: Dec. 16, 2024, 12:44 p.m.
Modified: Dec. 16, 2024, 2:04 p.m.
Indicators
Windows_Trojan_SadBridge_6e83eaeb
Multi_Trojan_Gosar_31dba745
accd651f58dd3f7eaaa06df051e4c09d2edac67bb046a2dcb262aa6db4291de7
15af8c34e25268b79022d3434aa4b823ad9d34f3efc6a8124ecf0276700ecc39
7964a9f1732911e9e9b9e05cd7e997b0e4e2e14709490a1b657673011bc54210
hk-dns.wkossclsaleklddeff.is
hk-dns.wkossclsaleklddeff.io
hk-dns.winsiked.com
hk-dns.secssl.com
ferp.googledns.io
opera-x.net
teledown-cn.com
micrornetworks.com
Attack Patterns
GOSAR
SADBRIDGE
QUASAR
REF3864
T1497.003
T1548.002
T1543.003
T1055.003
T1564.003
T1574.002
T1571
T1056.001
T1562.001
T1057
T1027
Additional Informations
China