Back to overview

Threat intelligence

Uncovering a Recent Pulsar RAT Sample in the Wild

by Security News

 

Overview

This week, the SonicWall Capture Labs Threat Research Team analyzed an obfuscated .NET trojan frequently used in malicious campaigns. Pulsar RAT, is an open-sourced remote access tool that was derived from another open-sourced RAT named Quasar. Pulsar adds updated capabilities such as hooking clipboard changes, capturing webcam images, UAC bypass, and sending results back to attackers.

Infection Cycle

The analyzed sample is a .NET executable. Upon execution, the application runs as a hidden Windows Forms process and does not show a visible user interface.

hidden_execution.png
Fig 1. Code responsible for running the application silently in the background

It then checks for virtualized environments, sandboxes, and debuggers, possibly to evade detection. If the check fails, the execution terminates.

Virtualization_check.png
Fig 2. The malware checks if it is running in a sandbox or virtual environment

It then disables UAC (User Account Control), which prevents notifications to users when a program tries to make changes to the computer.

disable_uac.png
Fig 3. Disables UAC via the registry

It also relaunches the current malware executable with elevated privileges by creating a temporary batch file (.bat), which is launched by a legitimate Windows program named computerdefaults.exe, thus avoiding UAC prompts and effectively re-runs the malware with elevated privileges.

malware_using_computerdefaults.exe.png
Fig 4. Malware creates a bat file and adds a registry key to relaunch malware with elevated privileges

It then establishes a connection to a remote host. 

remote_host_connect.png
Fig 5. Code showing C2 configuration and then connecting to attacker infrastructure

During our analysis, this malware connected to 185[.]132[.]53[.]17 but no data has been transmitted.

remote_c2
Fig 6. Connection to a remote C2 server

Some of the notable features of this Trojan include screen, webcam, and audio surveillance.

webcam_surveillance.png
Fig 7. Message handler module for enumerating available webcams to capture images or stream videos remotely

It is also capable of quietly extracting saved passwords, session cookies, and other data stored in web browsers.

browser_creds_theft.png
Fig 8. Dynamically loading Firefox libraries (DLLs) to decrypt and extract saved credentials
It also includes functionality to monitor the system clipboard for cryptocurrency wallet addresses.
cryptocurrency_clipboard_hijacker_module.png
Fig 9. Code that monitors clipboard changes and detects wallet addresses via regex

Sonicwall Protection

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Pulsar.RAT (Trojan)

This threat is also detected by SonicWall Capture ATP with RTDMI™ and the Capture Client endpoint solution.

Share This Article

An Article By

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.