216.73.217.86

Under the SADBRIDGE with GOSAR: QUASAR Gets a Golang Rewrite

· Published 16/12/2024 12:44 · Modified 16/12/2024 14:04

Export JSON

Essential information

Published
16/12/2024 12:44
Modified
16/12/2024 14:04
Tags
2024-12-16 backdoor golang gosar keylogger quasar sadbridge
Related entities
13 observables, 1 intrusion sets (apt), 11 techniques (mitre), 3 malware, 1 others

Description

Elastic Security Labs has uncovered a new intrusion set targeting Chinese-speaking regions, dubbed REF3864. The threat group employs a custom loader called to deploy , a -based reimplementation of the . The infection chain involves trojanized MSI installers masquerading as legitimate software, utilizing DLL side-loading and injection techniques. extends 's capabilities with additional information-gathering features, multi-OS support, and improved evasion tactics. The malware employs various persistence mechanisms and privilege escalation techniques, including UAC bypass and abuse of Windows Task Scheduler. 's functionalities include system information retrieval, screenshot capture, command execution, and keylogging, among others.

External references