QuasarRAT signed by "北京谷云达吉商贸有限公司"
This signer previously signed GhostRAT.
Cert was revoked.
They received new certificate.
Revoked.
New certificate.
Revoked.
If I didn't have a database with records, I'd think I was insane.
h/t @malwrhunterteam
1/6
The most recent file (eca5383f73e19e587c03a472d0559d95) makes no effort to hide what it is.
This suggests the actor convinced the certificate provider that their previous files were legit and the current detection of QuasarRAT is a consequence of using it legitimately.
2/6
I'm not buying it.
The last file reported was disguised as an invoice. The desktop icon displays what looks like a receipt and the metadata claims it is a 2FA login authenticator.
3/6
Our end user downloaded it from a < 30day old domain "im-image[.]ing" and downloaded the file named "MAGE_IM_[94 char here].SCR". (Site and downloads are still active.)
MD5: 006a0eb2ae8fa181c7a7ac972055f03f
4/6
My database is at CertGraveyard .org . We document these to keep a public record and to use it for cyber defense.
To that end we've also partnered with MagicSword (https://www.magicsword.io/plan?utm_source=certgraveyard&utm_medium=affiliate&utm_campaign=community-widget&utm_content=social ); their tool uses our database.
5/6
Our database is one of the blocklists used by MagicSword.
Files with certificates issued to cybercriminals are actually stopped from impacting systems: whether the cert provider revokes the certificate or not.
6/6
avallach
Squiblydoo