On February 2, 2017, it was reported that researchers had detected a threat actor targeting government entities in the region with the Downeks downloader and Quasar remote access Trojan (RAT). The attack begins with an initial dropper reading “Joint Ministerial Council between the GCC and the EU Council.exe.” Upon execution, the attacker extracts an embedded instance of the Downeks downloader with the file name ‘ati.exe.’ The downloader often masquerades as icons, filenames, and metadata imitating valid applications such as VMWare. Downeks makes a POST request to dw.downloadtesting[.]com, leading to the installation of Quasar RAT, a .NET Framework-based open-source RAT. Downeks’ infrastructure is connected to DustySky, a campaign perpetrated by the Gaza cybergang against IT and IR staff in the Middle East.
Source: tripwire.com, February 2, 2017