Story image

Qrypter Remote Access Trojan targeting NZ & Australia web domains

19 Mar 2018

A Remote Access Trojan (RAT) called Qrypter is now a major competitor to one of the most well-known RATs in existence, and it has been used to target organisations around the globe, including those in New Zealand and Australia.

A blog post from Forcepoint researcher Roland Dela Paz says that the Qrypter RAT is able to analyse infected systems’ firewall and antivirus products, lower security settings and stops some security-related processes from executing.

It connects to a command and control server based on the TOR network. According to Roland Dela Paz, the Qrypter is a plugin-based backdoor that can conduct the following tasks:

Remote desktop connections; file system manipulation; installation of additional files; and control over task manager.

Dela Paz says that Qrypter is now so prominent that even the security community mistakes it for a rival RAT called Adwind.

Qrypter is typically delivered through malicious email campaigns. One sample email asks recipients to open an attachment apparently detailing products, services, payment terms and delivery times.

The malware has been used in a number of campaigns. In February Forcepoint researchers tracked three campaigns that affected 243 organisations.

Of those organisations, more than half had domains ending in .com. Other domains such as .co.uk (UK domains), .co.nz (New Zealand Domains) and .com.au (Australian domains) were also targeted in the attacks.

Qrypter is a Malware-as-a-Service (MaaS) available for cybercriminals to rent for US$80 (NZ$111) per month. It was developed by a group that calls itself QUA R&D, which also offers quarterly or yearly subscriptions.

The group also runs a forum dedicated to the Qrypter malware that has more than 2300 members, suggesting that the group is gaining traction in underground markets.

“The content of this forum reveals the nature of how QUA R&D operates and their efforts to keep their customers happy. For instance, the administrators regularly create threads to inform and reassure their customers that their crypting service, currently sold for US$5, is fully undetected (FUD) by anti-virus vendors,” Dela Paz explains.

In full e-commerce style, the group even offers discounts for resellers and credit returns for unsatisfied cybercriminal customers. Older versions of the RAT are also offered for free.

“Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even after nearly two years Qrypter remains largely undetected by anti-virus vendors,” Dela Paz continues.

The group attempts to crack competitors’ RATS to create ‘fear, uncertainty, and doubt’ about rival products.

“While the Qrypter MaaS is relatively cheap, QUA R&D's occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free. However by understanding how cybercriminal enterprises such as QUA R&D operate, we are better positioned to develop defense strategies and predict future developments,” Dela Paz concludes.

Salesforce continues to stumble after critical outage
“To all of our Salesforce customers, please be aware that we are experiencing a major issue with our service and apologise for the impact it is having on you."
D-Link hooks up with Alexa and Assistant with new smart camera
The new camera is designed for outdoor use within a wireless smart home network.
Slack users urged to update to prevent security vulnerability
Businesses that use popular messaging platform Slack are being urged to update their Slack for Windows to version 3.4.0 immediately.
Secureworks Magic Quadrant Leader for Security Services
This is the 11th time Secureworks has been positioned as a Leader in the Gartner Magic Quadrant for Managed Security Services, Worldwide.
Google puts Huawei on the Android naughty list
Google has apparently suspended Huawei’s licence to use the full Android platform, according to media reports.
Using data science to improve threat prevention
With a large amount of good quality data and strong algorithms, companies can develop highly effective protective measures.
General staff don’t get tech jargon - expert says time to ditch it
There's a serious gap between IT pros and general staff, and this expert says it's on the people in IT to bridge it.
ZombieLoad: Another batch of flaws affect Intel chips
“This flaw can be weaponised in highly targeted attacks that would normally require system-wide privileges or a complete subversion of the operating system."