Quasar RAT C2 SSL Certificate - Detect

ID: quasar-rat-c2

Severity: info

Author: johnk3r,pussycat0x,adilsoybali

Tags: c2,ssl,tls,ir,osint,malware,quasar

Description

Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.

YAML Source

id: quasar-rat-c2

info:
  name: Quasar RAT C2 SSL Certificate - Detect
  author: johnk3r,pussycat0x,adilsoybali
  severity: info
  description: |
    Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.
  reference: |
    https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
  metadata:
    verified: "true"
    max-request: 1
    shodan-query: ssl.cert.subject.cn:"Quasar Server CA"
    censys-query: 'services.tls.certificates.leaf_data.subject.common_name: {"Quasar Server CA"}'
  tags: c2,ssl,tls,ir,osint,malware,quasar
ssl:
  - address: "{{Host}}:{{Port}}"
    matchers:
      - type: word
        part: issuer_cn
        words:
          - "Quasar Server CA"

    extractors:
      - type: json
        json:
          - " .issuer_cn"
# digest: 490a0046304402204666c70b55849460ab4f5b2eeed38fc0cf4689f9cb42cc945880a75d50954906022078ca7b7a664337f5591237fb517ad20daecefbf2d492adaa8855e0283c2be16c:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

$ nuclei -u "URL" -t "ssl/c2/quasar-rat-c2.yaml"

View on Github