A look into Qrypter, Adwind’s major rival in the cross-platform MaaS market

When it comes to cantankerous-platform backdoors, Adwind is arguably the most popular and documented remote access tool (RAT) out there. However in the last 2 years, an underground group calling themselves ‘QUA R&D’ accept been decorated developing and improving a similar Malware-as-a-Service (MaaS) platform to the point that they have now become a major competitor to Adwind. In fact, QUA R&D’s RAT – sold under the name ‘Qrypter’ – is often mistaken by the security community every bit Adwind.

Overview

Qrypter is a Java-based RAT that uses TOR-based command and command (C2) servers. It was commencement made available in March 2016 and has gone by several names over the years including Qarallax, Quaverse, QRAT, and Qontroller.

In June 2016 the malware was used to target individuals applying for a US Visa in Switzerland, resulting in the family unit’s start coverage in the security manufacture.

Today, Qrypter continues to rise in prominence, typically existence delivered via malicious email campaigns such as the one shown below.

While Qrypter is usually used in smaller attacks that evangelize only a few hundred emails per entrada, it affects many organizations worldwide. In Feb 2018 nosotros tracked three Qrypter-related campaigns that affected 243 organizations in full. The graph below provides a breakdown of the recipient TLDs in these campaigns:

Assay

Upon execution, Qrypter drops and executes ii VBS files in the %Temp% folder using random filenames. These scripts are used to collect details of any firewall and anti-virus products on the victim’s PC:

Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2") Gear up colItems = oWMI.ExecQuery("Select * from FirewallProduct") For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End With Adjacent
      
ASCII Strings: ===================== Set oWMI = GetObject("winmgmts: impersonationLevel=impersonate \\.\root\SecurityCenter2") Set colItems = oWMI.ExecQuery("Select  from AntiVirusProduct") For Each objItem in colItems With objItem WScript.Repeat " ""AV"":"""  .displayName  Terminate With
      

It then executes a .REG file which is also dropped in the %Temp% folder using a random filename. This lowers the system’south overall security settings and prevents a long list of forensics- and security-related processes from executing. Furthermore, the same list of processes are subsequently terminated by the malware past running the Windowstaskkillcommand.

It drops a copy of itself and create the following registry as an autostart mechanism:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run {random strings} "%AppData%\Oracle\bin\javaw.exe" -jar \"%USERPROFILE%\{random strings}\{random strings}.txt
      

Finally, it connects to its TOR based command and command server, vvrhhhnaijyj6s2m[.]onion[.]acme. As a plugin based backdoor, Qrypter is able to execute a range backdoor functionality including:

  • Remote desktop connection
  • Webcam access
  • File system manipulation
  • Installation of additional files
  • Task manager command

Concern model

Like to Adwind, Qrypter is rented monthly for the price of 80 USD, payable in PerfectMoney, Bitcoin-Cash, or Bitcoin. Customers tin can too pay for 3 months or ane year subscriptions for a discounted price. An older Bitcoin address that receives payment for Qrypter subscriptions was observed to have received a total of 1.69 BTC. This is roughly 16,500 USD at the time of writing (although given the volatility of Bitcoin, this is subject to rapid change).

It is worth noting that this just reveals earnings from one of the QUA-related cryptocurrency addresses and that the total across all wallets and currencies is probable to be much higher.

In club to provide support to their customers, QUA R&D runs a forum called ‘Black&White Guys’ for discussing annihilation related to the Qrypter MaaS. This forum currently lists 2,325 registered members:

The content of this forum reveals the nature of how QUA R&D operates and their efforts to go on their customers happy. For instance, the administrators regularly create threads to inform and reassure their customers that their crypting service, currently sold for 5 USD, is fully undetected (FUD) by anti-virus vendors. If customers are unsatisfied, credit returns are offered:

Indeed, ensuring their product is fully undetectable is one of the primary priorities for the group and potentially explains why even subsequently about ii years Qrypter remains largely undetected by anti-virus vendors.

While the forum is predominantly for Qrypter customers, information technology is also used to attract potential resellers for their product. Resellers are provided with discount codes – just equally with legitimate businesses – which helps them to increment Qrypter’due south popularity in underground circles:

In a similar vein, older versions of the RAT version are offered to customers for complimentary.

Interestingly, cracking competitor products appear to be some other part of QUA R&D’s strategy – the postal service beneath shows an administrator announcing that they take cracked Unknown RAT. This is presumably to generate the other kind of FUD (i.e. ‘fear, incertitude, and incertitude’) about their competition.

Similar posts advise that even in their early on days the QUA R&D group considered JBifrost, an Adwind allonym, to be their primary competitor and take taken similar measures to sway would-be customers.

Protection statement

Forcepoint customers are protected confronting this threat at the post-obit stages of assail:

Stage 2 (Lure) – Malicious e-mails associated with this attack are identified and blocked.

Decision

This post highlights the conclusion of QUA R&D to replace the infamous Adwind in the cross-platform MaaS business concern. With 2 years of functioning and over 2K registered users in their forum, information technology appears that they are getting increasing traction in hugger-mugger circles.

While the Qrypter MaaS is relatively cheap, QUA R&D’s occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free. However by agreement how cybercriminal enterprises such as QUA R&D operate, we are improve positioned to develop defense strategies and predict future developments.

Indicators of Compromise

Qrypter SHA-256

445a73d4dc4c76b73d35233b2bfba3ee178eb2605def1542c2267375db1ee24c
      

Qrypter C2s

vvrhhhnaijyj6s2m[.]onion[.]top buzw55o32jgyznev[.]onion[.]top
      

Source: https://www.forcepoint.com/blog/x-labs/look-qrypter-adwind%E2%80%99s-major-rival-cross-platform-maas-market

Check Also

Will Dogecoin Go Up In Value

Will Dogecoin Go Up In Value

On Dec. 6, 2013, Billy Markus and Jackson Palmer decided to combine their dearest of …