Story image

Qrypter Remote Access Trojan targeting NZ & Australia web domains

19 Mar 2018

A Remote Access Trojan (RAT) called Qrypter is now a major competitor to one of the most well-known RATs in existence, and it has been used to target organisations around the globe, including those in New Zealand and Australia.

A blog post from Forcepoint researcher Roland Dela Paz says that the Qrypter RAT is able to analyse infected systems’ firewall and antivirus products, lower security settings and stops some security-related processes from executing.

It connects to a command and control server based on the TOR network. According to Roland Dela Paz, the Qrypter is a plugin-based backdoor that can conduct the following tasks:

Remote desktop connections; file system manipulation; installation of additional files; and control over task manager.

Dela Paz says that Qrypter is now so prominent that even the security community mistakes it for a rival RAT called Adwind.

Qrypter is typically delivered through malicious email campaigns. One sample email asks recipients to open an attachment apparently detailing products, services, payment terms and delivery times.

The malware has been used in a number of campaigns. In February Forcepoint researchers tracked three campaigns that affected 243 organisations.

Of those organisations, more than half had domains ending in .com. Other domains such as .co.uk (UK domains), .co.nz (New Zealand Domains) and .com.au (Australian domains) were also targeted in the attacks.

Qrypter is a Malware-as-a-Service (MaaS) available for cybercriminals to rent for US$80 (NZ$111) per month. It was developed by a group that calls itself QUA R&D, which also offers quarterly or yearly subscriptions.

The group also runs a forum dedicated to the Qrypter malware that has more than 2300 members, suggesting that the group is gaining traction in underground markets.

“The content of this forum reveals the nature of how QUA R&D operates and their efforts to keep their customers happy. For instance, the administrators regularly create threads to inform and reassure their customers that their crypting service, currently sold for US$5, is fully undetected (FUD) by anti-virus vendors,” Dela Paz explains.

In full e-commerce style, the group even offers discounts for resellers and credit returns for unsatisfied cybercriminal customers. Older versions of the RAT are also offered for free.

“Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even after nearly two years Qrypter remains largely undetected by anti-virus vendors,” Dela Paz continues.

The group attempts to crack competitors’ RATS to create ‘fear, uncertainty, and doubt’ about rival products.

“While the Qrypter MaaS is relatively cheap, QUA R&D's occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free. However by understanding how cybercriminal enterprises such as QUA R&D operate, we are better positioned to develop defense strategies and predict future developments,” Dela Paz concludes.

SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.