Qrypter RAT Hits Hundreds of Organizations Worldwide

Hundreds of organizations all around the world have been targeted in a series of attacks that leverage the Qrypter remote access Trojan (RAT), security firm Forcepoint says.

The malware, often mistaken for the Adwind cross-platform backdoor, has been around for a couple of years, and was developed by an underground group called ‘QUA R&D’, which offers a Malware-as-a-Service (MaaS) platform.

Also known as Qarallax, Quaverse, QRAT, and Qontroller, Forcepoint explains that Qrypter is a Java-based RAT that leverages TOR-based command and control (C&C) servers. It was first detailed in June 2016, after being used in an attack targeting individuals applying for a U.S. Visa in Switzerland.

The malware is typically delivered via malicious email campaigns that usually consist of only a few hundred messages each. However, Qrypter continues to rise in prominence, and three Qrypter-related campaigns observed in February 2018 affected 243 organizations in total, Forcepoint’s security researchers say.

When executed on a victim’s system, Qrypter drops and runs two VBS files in the %Temp% folder, each featuring a random filename. The two scripts are meant to gather information on the firewall and anti-virus products installed on the computers.

Qrypter is a plugin based backdoor that provides attackers with a broad range of capabilities: remote desktop connection, webcam access, file system manipulation, installation of additional files, and task manager control.

The RAT is available for rent for a price of $80, payable in PerfectMoney, Bitcoin-Cash, or Bitcoin. Interested parties can purchase three months or one-year subscriptions for a discounted price, the security researchers discovered.

An older Bitcoin address associated with payments for Qrypter subscriptions was appears to have received a total of 1.69 BT
C (around $13,500 at the time of publishing). This, however, is only one of the addresses that the malware authors use, meaning that their earnings could be much higher.

The malware developers provide support to their customers via a forum called ‘Black&White Guys’, which currently has over 2,300 registered members.

Based on the content of the forum, the researchers were able to discover how QUA R&D operates. The group appears focused on keeping customers happy, and is regularly creating threads to inform and reassure users that their crypting service (available for $5) is fully undetected by anti-virus vendors.

“Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even after nearly two years Qrypter remains largely undetected by anti-virus vendors,” Forcepoint notes.

In addition to interacting with customers, the forum is also used to attract potential resellers, which receive discount codes to help increase Qrypter’s popularity in underground circles. Furthermore, older RAT versions are offered for free to customers, and QUA R&D’s strategy also involves the cracking of competitor products, to create FUD (fear, uncertainty, and doubt) about competition.

“While the Qrypter MaaS is relatively cheap, QUA R&D’s occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free,” Forcepoint concludes.

Related: Ongoing Adwind Phishing Campaign Discovered