Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

Description

Elastic Security Labs has uncovered a new intrusion set targeting Chinese-speaking regions, dubbed REF3864. The threat group employs a custom loader called SADBRIDGE to deploy GOSAR, a Golang-based reimplementation of the QUASAR backdoor. The infection chain involves trojanized MSI installers masquerading as legitimate software, utilizing DLL side-loading and injection techniques. GOSAR extends QUASAR's capabilities with additional information-gathering features, multi-OS support, and improved evasion tactics. The malware employs various persistence mechanisms and privilege escalation techniques, including UAC bypass and abuse of Windows Task Scheduler. GOSAR's functionalities include system information retrieval, screenshot capture, command execution, and keylogging, among others.