Hundreds of organizations all around the world have been targeted in a series of attacks that leverage the Qrypter remote access Trojan (RAT), security firm Forcepoint says.
The malware, often mistaken for the Adwind cross-platform backdoor, has been around for a couple of years, and was developed by an underground group called ‘QUA R&D’, which offers a Malware-as-a-Service (MaaS) platform.
Also known as Qarallax, Quaverse, QRAT, and Qontroller, Forcepoint explains that Qrypter is a Java-based RAT that leverages TOR-based command and control (C&C) servers. It was first detailed in June 2016, after being used in an attack targeting individuals applying for a U.S. Visa in Switzerland.
The malware is typically delivered via malicious email campaigns that usually consist of only a few hundred messages each. However, Qrypter continues to rise in prominence, and three Qrypter-related campaigns observed in February 2018 affected 243 organizations in total, Forcepoint’s security researchers say.
When executed on a victim’s system, Qrypter drops and runs two VBS files in the %Temp% folder, each featuring a random filename. The two scripts are meant to gather information on the firewall and anti-virus products installed on the computers.
Qrypter is a plugin based backdoor that provides attackers with a broad range of capabilities: remote desktop connection, webcam access, file system manipulation, installation of additional files, and task manager control.
The RAT is available for rent for a price of $80, payable in PerfectMoney, Bitcoin-Cash, or Bitcoin. Interested parties can purchase three months or one-year subscriptions for a discounted price, the security researchers discovered.
An older Bitcoin address associated with payments for Qrypter subscriptions was appears to have received a total of 1.69 BT
C (around $13,500 at the time of publishing). This, however, is only one of the addresses that the malware authors use, meaning that their earnings could be much higher.
The malware developers provide support to their customers via a forum called ‘Black&White Guys’, which currently has over 2,300 registered members.
Based on the content of the forum, the researchers were able to discover how QUA R&D operates. The group appears focused on keeping customers happy, and is regularly creating threads to inform and reassure users that their crypting service (available for $5) is fully undetected by anti-virus vendors.
“Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even after nearly two years Qrypter remains largely undetected by anti-virus vendors,” Forcepoint notes.
In addition to interacting with customers, the forum is also used to attract potential resellers, which receive discount codes to help increase Qrypter’s popularity in underground circles. Furthermore, older RAT versions are offered for free to customers, and QUA R&D’s strategy also involves the cracking of competitor products, to create FUD (fear, uncertainty, and doubt) about competition.
“While the Qrypter MaaS is relatively cheap, QUA R&D’s occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free,” Forcepoint concludes.

More from Ionut Arghire
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- iOS Security Update Patches Exploited Vulnerability in Older iPhones
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- GitHub Rotates Publicly Exposed RSA SSH Private Key
Latest News
- Mandiant Catches Another North Korean Gov Hacker Group
- Microsoft Puts ChatGPT to Work on Automating Cybersecurity
- Video: How to Build Resilience Against Emerging Cyber Threats
- Nigerian BEC Scammer Sentenced to Prison in US
- China’s Nuclear Energy Sector Targeted in Cyberespionage Campaign
- SecurityScorecard Guarantees Accuracy of Its Security Ratings
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
