Pierluigi Paganini
March 15, 2018
A new strain of remote access Trojan dubbed Qrypter RAT (aka Qarallax, Quaverse, QRAT, and Qontroller) hit hundreds of organizations worldwide.
The malware was spotted by security firm Forcepoint, it has been around for a couple of years, it was first analyzed in June 2016, after being used in an attack targeting individuals applying for a U.S. Visa in Switzerland.
The author of Qrypter RAT is an underground group called ‘QUA R&D’ that operates a Malware-as-a-Service (MaaS) platform.
Qrypter RAT is a Java-based RAT that leverages TOR-based command and control (C&C) servers (vvrhhhnaijyj6s2m[.]onion[.]top.). The malware is delivered via small malspam campaigns, in February the researchers observed three campaigns that hit 243 organizations.
“In June 2016 the malware was used to target individuals applying for a US Visa in Switzerland, resulting in the family’s first coverage in the security industry.
Today, Qrypter continues to rise in prominence, typically being delivered via malicious email campaigns such as the one shown below.” reads the analysis published by Forcepoint.”
“While Qrypter is usually used in smaller attacks that deliver only a few hundred emails per campaign, it affects many organizations worldwide. In February 2018 we tracked three Qrypter-related campaigns that affected 243 organizations in total.”
Upon execution on the victim’s device, the Qrypter RAT drops and runs two VBS files in the %Temp% folder, both having a random filename. The scripts are used by the RAT to gather information on the firewall and anti-virus products installed on the victim’s machine.
The malware gain persistence by using Windows registry, in this way it is executed every time the machine restarts.
Qrypter is a modular malware, its main features are:
The Qrypter RAT is available for rent for a price of $80, users can pay it in PerfectMoney, Bitcoin-Cash, or Bitcoin. The authors offer a discount for three months or one-year subscriptions and provide support to their customers via a forum called ‘Black&White Guys’, which has over 2,300 registered members.
“An older Bitcoin address that receives payment for Qrypter subscriptions was observed to have received a total of 1.69 BTC. This is roughly 16,500 USD at the time of writing (although given the volatility of Bitcoin, this is subject to rapid change).” continues the analysis.
The authors are very active and continuously update their malware to make it undetectable to security software, for this reason, even “after nearly two years Qrypter remains largely undetected by anti-virus vendors.”
The business model of malware author is very effective, they use the forum also to offer discount codes and older RAT versions for free to customers, a strategy that allows them to increase their popularity in the criminal underground.
“This post highlights the determination of QUA R&D to replace the infamous Adwind in the cross-platform MaaS business. With two years of operation and over 2K registered users in their forum, it appears that they are getting increasing traction in underground circles.”
“While the Qrypter MaaS is relatively cheap, QUA R&D’s occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free. However by understanding how cybercriminal enterprises such as QUA R&D operate, we are better positioned to develop defense strategies and predict future developments.”
Further info, including IoCs are available in the report.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – Qrypter RAT, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
