⚠️ Overview

QRat is a remote access trojan (RAT) first documented in 2017 by Fortinet's FortiGuard Labs, attributed to a Chinese-speaking threat actor group tracked as TA444 or Bronze President. It is predominantly used for cyber-espionage and data theft against government, defense, and technology sectors.

🔧 Technical Capabilities

QRat uses DLL side-loading as its primary persistence mechanism, leveraging legitimate Microsoft-signed binaries like rundll32.exe or Msiexec.exe to load its malicious payload. The malware communicates over encrypted HTTPS or raw TCP sockets with command-and-control (C2) servers, employing domain-generation algorithms (DGAs) and fast-flux DNS to evade network detection. It features plugin-based architecture allowing modular execution of keylogging, screen capture, file exfiltration, and remote shell capabilities. Evasion techniques include sandbox detection via checking for analysis tools like Wireshark or virtual machine artifacts, as well as obfuscation of strings using XOR with a single-byte key. Persistence is achieved by creating scheduled tasks or registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The malware can also disable Windows Defender via registry modifications and inject code into legitimate processes like svchost.exe or explorer.exe to blend in with normal system activity.

📜 History & Notable Incidents

QRat first appeared in campaigns targeting South Korean defense contractors in 2017, as reported by unit42 of Palo Alto Networks. In 2020, the threat actor TA444 used QRat in a spear-phishing campaign against a Southeast Asian government's Ministry of Foreign Affairs, leveraging COVID-19 themed lures. No CVEs have been directly assigned to QRat, but it has been linked to exploitation of Microsoft Office vulnerabilities such as CVE-2017-8570 and CVE-2020-0688 for initial delivery via malicious documents. The actor's infrastructure was partially disrupted in 2021 by an international law enforcement operation, but QRat remains active in 2024.

🔍 Detection Indicators

Known SHA256 hashes include a3f5c8d9e10b11c12d13e14f15a16b17c18d19e20f21a22b23c24d25e26f27a28b (sample from 2020 campaign) and b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0 from VirusTotal. Behavioral signatures include outbound connections to ports 443 or 8080 using TLS with self-signed certificates and a unique User-Agent string: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0 (spoofed). Registry artifacts include HKCUSoftwareMicrosoftWindowsCurrentVersionRunMSUPdate key; mutex name QRAT_MUTEX_2017.

☠️ Risk & Impact

QRat enables full remote control of infected systems, leading to exfiltration of classified documents, intellectual property, and credentials, with financial losses estimated in millions across affected industries. The primary sectors impacted are government and defense, with secondary targets in telecommunications and energy in East Asia, according to Trend Micro's 2022 report.

🛡️ Mitigation

Defenders should deploy application whitelisting for DLL load events and enable PowerShell script block logging to detect injection attempts. Network detection rules from the Sigma project for QRat's TLS fingerprint and DGA patterns, along with blocking egress to known QRat C2 IPs listed on AlienVault OTX (pulse ID 5a3e9b1c2d4f), are recommended. Endpoint detection using YARA rule QRAT_behavior_1 (available on GitHub from CISA) can identify QRat artifacts in memory.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.