SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Qrypter Remote Access Trojan targeting NZ & Australia web domains
Mon, 19th Mar 2018
FYI, this story is more than a year old

A Remote Access Trojan (RAT) called Qrypter is now a major competitor to one of the most well-known RATs in existence, and it has been used to target organisations around the globe, including those in New Zealand and Australia.

A blog post from Forcepoint researcher Roland Dela Paz says that the Qrypter RAT is able to analyse infected systems' firewall and antivirus products, lower security settings and stops some security-related processes from executing.

It connects to a command and control server based on the TOR network. According to Roland Dela Paz, the Qrypter is a plugin-based backdoor that can conduct the following tasks:

Remote desktop connections; file system manipulation; installation of additional files; and control over task manager.

Dela Paz says that Qrypter is now so prominent that even the security community mistakes it for a rival RAT called Adwind.

Qrypter is typically delivered through malicious email campaigns. One sample email asks recipients to open an attachment apparently detailing products, services, payment terms and delivery times.

The malware has been used in a number of campaigns. In February Forcepoint researchers tracked three campaigns that affected 243 organisations.

Of those organisations, more than half had domains ending in .com. Other domains such as .co.uk (UK domains), .co.nz (New Zealand Domains) and .com.au (Australian domains) were also targeted in the attacks.

Qrypter is a Malware-as-a-Service (MaaS) available for cybercriminals to rent for US$80 (NZ$111) per month. It was developed by a group that calls itself QUA R-D, which also offers quarterly or yearly subscriptions.

The group also runs a forum dedicated to the Qrypter malware that has more than 2300 members, suggesting that the group is gaining traction in underground markets.

“The content of this forum reveals the nature of how QUA R-D operates and their efforts to keep their customers happy. For instance, the administrators regularly create threads to inform and reassure their customers that their crypting service, currently sold for US$5, is fully undetected (FUD) by anti-virus vendors,” Dela Paz explains.

In full eCommerce style, the group even offers discounts for resellers and credit returns for unsatisfied cybercriminal customers. Older versions of the RAT are also offered for free.

“Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even after nearly two years Qrypter remains largely undetected by anti-virus vendors,” Dela Paz continues.

The group attempts to crack competitors' RATS to create ‘fear, uncertainty, and doubt' about rival products.

“While the Qrypter MaaS is relatively cheap, QUA R-D's occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free. However by understanding how cybercriminal enterprises such as QUA R-D operate, we are better positioned to develop defense strategies and predict future developments,” Dela Paz concludes.