Story image

Qrypter Remote Access Trojan targeting NZ & Australia web domains

19 Mar 2018

A Remote Access Trojan (RAT) called Qrypter is now a major competitor to one of the most well-known RATs in existence, and it has been used to target organisations around the globe, including those in New Zealand and Australia.

A blog post from Forcepoint researcher Roland Dela Paz says that the Qrypter RAT is able to analyse infected systems’ firewall and antivirus products, lower security settings and stops some security-related processes from executing.

It connects to a command and control server based on the TOR network. According to Roland Dela Paz, the Qrypter is a plugin-based backdoor that can conduct the following tasks:

Remote desktop connections; file system manipulation; installation of additional files; and control over task manager.

Dela Paz says that Qrypter is now so prominent that even the security community mistakes it for a rival RAT called Adwind.

Qrypter is typically delivered through malicious email campaigns. One sample email asks recipients to open an attachment apparently detailing products, services, payment terms and delivery times.

The malware has been used in a number of campaigns. In February Forcepoint researchers tracked three campaigns that affected 243 organisations.

Of those organisations, more than half had domains ending in .com. Other domains such as .co.uk (UK domains), .co.nz (New Zealand Domains) and .com.au (Australian domains) were also targeted in the attacks.

Qrypter is a Malware-as-a-Service (MaaS) available for cybercriminals to rent for US$80 (NZ$111) per month. It was developed by a group that calls itself QUA R&D, which also offers quarterly or yearly subscriptions.

The group also runs a forum dedicated to the Qrypter malware that has more than 2300 members, suggesting that the group is gaining traction in underground markets.

“The content of this forum reveals the nature of how QUA R&D operates and their efforts to keep their customers happy. For instance, the administrators regularly create threads to inform and reassure their customers that their crypting service, currently sold for US$5, is fully undetected (FUD) by anti-virus vendors,” Dela Paz explains.

In full e-commerce style, the group even offers discounts for resellers and credit returns for unsatisfied cybercriminal customers. Older versions of the RAT are also offered for free.

“Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even after nearly two years Qrypter remains largely undetected by anti-virus vendors,” Dela Paz continues.

The group attempts to crack competitors’ RATS to create ‘fear, uncertainty, and doubt’ about rival products.

“While the Qrypter MaaS is relatively cheap, QUA R&D's occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free. However by understanding how cybercriminal enterprises such as QUA R&D operate, we are better positioned to develop defense strategies and predict future developments,” Dela Paz concludes.

New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.
Oracle updates enterprise blockchain platform
Oracle’s enterprise blockchain has been updated to include more capabilities to enhance development, integration, and deployment of customers’ new blockchain applications.
Used device market held back by lack of data security regulations
Mobile device users are sceptical about trading in their old device because they are concerned that data on those devices may be accessed or compromised after they hand it over.
Gartner names ExtraHop leader in network performance monitoring
ExtraHop provides enterprise cyber analytics that deliver security and performance from the inside out.
Symantec acquires zero trust innovator Luminate Security
Luminate’s Secure Access Cloud is supposedly natively constructed for a cloud-oriented, perimeter-less world.
Palo Alto releases new, feature-rich firewall
Palo Alto is calling it the ‘fastest-ever next-generation firewall’ with integrated cloud-based DNS Security service to stop attacks.
The right to be forgotten online could soon be forgotten
Despite bolstering free speech and access to information, the internet can be a double-edged sword, because that access to information goes both ways.
Opinion: 4 Ransomware trends to watch in 2019
Recorded Future's Allan Liska looks at the past big ransomware attacks thus far to predict what's coming this year.