QRAT is Living in The World of JAVA

A New RAT Emerges

In May of 2016, DigiTrust was alerted to some malicious activity in one our client organizations. The investigation revealed that a host on the client's network might have been exposed to an unknown threat while visiting a malicious web domain. Incident response experts were able to locate a Remote Access Trojan (RAT) hidden within the client's system.

Peeling back the layers revealed this to be a newer type of RAT built in Java called Quaverse RAT or QRAT for short. Researching QRAT has provided an in-depth understanding as to its functionality and its rapid adoption into threat actor communities.

What is QRAT

QRAT is a Java-based variation of what is known as a RAT or Remote Access Trojan (or tool). A RAT is used by threat actors to gain remote access to a system, usually to harvest valuable information. IT teams have similar remote access tools they can use to connect to a computer remotely when attempting to fix a system issue. In the case of QRAT, whatever the victim can access, a threat actor can also access from anywhere in the world, except the victim won’t even know they are there.With QRAT installed, the threat actor has created a backdoor providing them access to the victim's valuable information. With this backdoor, the threat actor can explore files, capture logins, run programs, activate webcams, and much more.

The Growth of Java RATs

QRAT was introduced in May of 2015 and marketed as an “undetectable Java Rat” by Quaverse. The use of Java is not unique to QRAT, RATs such as Adwind, XPLAT, or RATTY also use Java. RATs such as these are popular due to their ability to function across platforms. The cross-functional nature of Java allows a Java-based RAT to work on Windows, Mac, Linux, and Android. If the system is running Java, it could be vulnerable to a Java-based RAT.

How is This RAT Different? (QRAT vs Standard RAT)

What makes QRAT different than a standard RAT? Functionality, usability, and construction. Threat actors could initially purchase access to QRAT online as a SaaS solution (Software as a Service). The same process someone might use to access Microsoft Office 365 or Salesforce, QRAT works in a similar way. Threat actors could visit the Quaverse website directly and purchase up to one year of QRAT access at a time. It is mainstream, accessible, flexible, and its simple functionality only fuels its appeal.

Simple To Use

QRAT was designed to be user-friendly, appealing to both sophisticated and non-sophisticated threat actors alike. The user interface looks similar to a Customer Relationship Manager program (CRM) that any organization may use and offers an abundance of controls. From this single pane interface, a threat actor can clearly see all of their "client" systems that are connected. Digital adversaries have a multitude of actions they can take on any connected system with just a few clicks of their mouse.

Greater Risks?

What makes QRAT a more of a pronounced risk is the obfuscation it uses to avoid detection. While QRAT is based in Java, QRAT is also hidden under layers of Java encryption when being delivered to a potential target.

This multi-layer encryption makes detection of QRAT much more challenging for systems that are not efficiently monitored. With executable code contained within the Java file, it can be sent directly as an email attachment or compressed into a zip file for delivery. In short, using a Java file or compressing the payload into a zip file only increases the chance of QRAT reaching its target.

Process & Build of QRAT

Payload Delivery Option: Phishing

After the ZIP file is opened and the malicious Java file is clicked:

1.    The payload runs decryption instructions allowing the next level to be opened. (Level 1)

2.    The next level, containing the (QRAT) repeats this process of decryption to install QRAT.
 (Level 2)

3.    With QRAT installed and connection to the host made, the actor now has remote access to the system. (Level 3) 

Qrat Process Option #1

Functionality

From the QRAT interface, the threat actor can see connected IP addresses, upload and download speeds, OS versions, and much more. Files and information can be accessed just as easily as if they were sitting in front of the victim's computer. Adversaries can gather private documents, capture login credentials, access account information, or move laterally through an organization's connected systems. The depth of intrusion possible with QRAT all depends on the intent of the threat actor.

QRAT is For All Skill Levels

QRAT may be moderately sophisticated in its construction, but it is not difficult to deploy or use. Threat actors of all levels can use QRAT and the damage done is limited only by their intent. The combination of SaaS accessibility, intrusion capabilities, and ease of use, only broadens the appeal to threat actors to add QRAT into their arsenal.

Additional Plugins for Additional Access

If the threat actor wanted to increase the intrusion capabilities of QRAT, they have the ability to expand functionality with additional plugins. Plugins are software components that add additional functions to QRAT and enable customization. In short, adding plugins allows the adversary more flexibility and a greater level of intrusion possibilities with QRAT. Some plugins available for QRAT include:

  • Browser Password Dumper
    This plugin allows the threat actor to steal passwords saved in the web browser. 
  • File Browser
    Provides the threat actor the ability to navigate a connected system and files.
  • Keylogger
    If the threat actor wants to track the user's activity, gain access credentials, additional passwords, etc., this plugin allows them to do this by recording keystrokes.

  • Email Password Dumper
    This plugin captures the user's email password. If a threat actor can log into an email account, they have access to all information sent and received, contacts, schedules, and much more.
  • Screen Streaming
    This Plugin allows the threat actor to monitor real time activity letting them see on their screen exactly what the target sees on theirs.


Prolonged System Access

As security experts, we look at a very critical timeline: the time from “detection to ejection” of a malicious threat. Depending on the intent of the threat actor, they may find value in prolonging their stay within the victim's system. The longer the adversary can remain undetected, the deeper the levels of access they may obtain, including moving laterally to other machines within the network.

DigiTrust uses its defense technologies and incident response experts to make this detection to ejection timeline as limited as possible.

RAT Refinement & Expert Defence

Threat actors continue to refine their tools and methods as quickly as security experts develop techniques to defend against them. This refinement is apparent with the advent of Quaverse RAT. As security experts, we continuously research emerging malicious RATs to provide better protection against them and to better understand the adversaries themselves. Employing a level of adversarial emulation allows us to prepare for future threats by further fine-tuning our technology and processes.

DigiTrust Solutions

Understanding the latest intrusion technology and techniques sets The DigiTrust Group apart in the industry. Our evolving threat intelligence fuels the continuous growth of our managed security capabilities across our client community. To provide targeted security and defense, we move beyond identification, extracting the context behind the malicious intrusion whenever possible. Security software tools are powerful, yet results are limited without the application of rich situational context.

People, Processes, and Technology

The right mix of people, processes, and technology is still required to analyze, investigate, and perform incident response on intrusions that leverage tools such as QRAT. Understanding how QRAT entered the system, what it has accessed, how long it has been in the system, is all critical to effectively root causing the incident. The more we understand about QRAT, the higher the probability that we can prevent intrusions like QRAT in the future.


To learn more about DigiTrust’s managed security and consulting
services contact us using the form to the right or call us at (310) 696-4500.



The DigiTrust Group is a managed security services firm that focuses on using advanced people, processes, and technology to proactively provide the highest level of information security at our client organizations. We do this by actively identifying, blocking, and researching attackers hitting our client organizations. In short, we act as a security operations center (SOC) for organizations that either do not have a SOC or require augmented SOC functionality.