Qrypter RAT trojan infected 243 organizations worldwide last month. Currently, the popularity of the trojan keeps increasing.
The Qrypter RAT (aka Qarallax, Quaverse, QRAT, and Qontroller) is a brand new strain of remote access trojan which hit hundreds of organizations all over the world.
According to Forcepoint, the malware was created a couple of years ago. The security researchers first analyzed Qrypter RAT in June 2016, after it was used to attack individuals applying for a U.S. Visa in Switzerland.
The developer of Qrypter RAT is the underground group ‘QUA R&D’ which operates a Malware-as-a-Service (MaaS) platform.
The malware is a Java-based RAT which leverages TOR-based command and control (C&C) servers (vvrhhhnaijyj6s2m[.]onion[.]top.), and it is distributed via small malspam campaigns. Last month, the experts registered three spam campaigns which infected 243 organizations.
“In June 2016 the malware was used to target individuals applying for a US Visa in Switzerland, resulting in the family’s first coverage in the security industry. Today, Qrypter continues to rise in prominence, typically being delivered via malicious email campaigns such as the one shown below.” the Forcepoint analysis states.
“While Qrypter is usually used in smaller attacks that deliver only a few hundred emails per campaign, it affects many organizations worldwide. In February 2018 we tracked three Qrypter-related campaigns that affected 243 organizations in total.”
When installed on the user’s device, the Qrypter RAT drops and runs two VBS files in the %Temp% folder, both having a random filename. The RAT uses the scripts to gather information on the firewall and anti-virus products installed on the victim’s computer.
The Qrypter RAT gain persistence by using Windows registry, and in this way, the malware is executed every time the computer restarts.
Qrypter is a modular malware and its main features are:
- Remote desktop connection
- Webcam access
- File system manipulation
- Installation of additional files
- Task manager control
A piece of Qrypter RAT can be rented for $80 that users can pay in PerfectMoney, Bitcoin-Cash, or Bitcoin.
The malware creators offer a discount for three months or one-year subscriptions and provide support to their customers via a forum called ‘Black&White Guys’, which has over 2,300 registered members.
“An older Bitcoin address that receives payment for Qrypter subscriptions was observed to have received a total of 1.69 BTC. This is roughly 16,500 USD at the time of writing (although given the volatility of Bitcoin, this is subject to rapid change).” the analysis reads.
The developers of Qrypter RAT are very active and keep updating the malware to make it undetectable to security software. This is the reason why “after nearly two years Qrypter remains largely undetected by anti-virus vendors,” and its popularity continues to increase.