Phishing Email Campaign Attempts to Install Quasar RAT

A recent phishing campaign uses fake resume attachments to deliver the Quasar RAT (remote access trojan) onto targeted systems. The attachments are a password-protected Microsoft Word document, and within the email is the attachment’s password “123.” Attackers use password-protected attachments to evade email security tools in order to ensure their phishing emails reach end user inboxes. If the attachment is opened, the document requests the user to enable editing and then enable content. Enabling content allows macros to run and download the Quasar RAT. The trojan has the ability to open remote desktop connections, log keystrokes, steal passwords, capture screenshots, record webcams, download and exfiltrate files, and manage processes on the infected system. The NJCCIC recommends users and administrators avoid opening attachments delivered within unsolicited or unexpected emails and exercise caution when choosing to open attachments from known senders. Additionally, avoid opening password-protected attachments delivered within emails that also include the attachment password as this is a red flag for phishing emails. More information on this campaign can be found in the Cofense article.