Researchers at cybersecurity firm F-Secure have uncovered a malware named Qarallax (QRAT), a remote access trojan (RAT), being distributed through Skype. The scammers, posing as government personnel offering guidance on U.S. visa applications, are currently targeting Swiss nationals, and possibly other travelers around the world.
According to the F-Secure’s report and a sample provided by security consultant Hamid Kashfi, victims were sent a file named US Travel Docs Information.jar, which is an application that can run on operating systems installed with the Java Runtime Environment. QRAT has exfiltration and spying capabilities such as capturing keystrokes, mouse clicks and cursor movement as well as the ability to remotely operate the machine’s web camera to take snapshots or record videos.
F-Secure’s Frederic Vila disclosed that the malicious Java file is downloaded from the QARALLAX domain, while its IP address is also used as the command and control server (C&C). Vila noted that there are other application hosted on the C&C, one of which is a relabeled version of LaZagne, an open source tool used to retrieve passwords stored on local devices, such as Wi-Fi credentials, web browsers and chat applications, as well as database and mail programs. LaZagne currently works on 22 Microsoft Windows programs and 12 on Linux/Unix-run operating systems.
Like other RATs such as Lost Door, BlackShades, Dendroid and RCSAndroid, QRAT also operates under a malware-as-a-service business model, renting out the trojan to other cybercriminals. The price varies from $22 to $900, depending on the duration for which the buyers want to rent the malware. The "rent period" ranges from five days to a full year.
Given that QRAT is being rented out, the threat actors are unknown as of yet—the IP address is registered in Netherlands but the domain has a WHOIS history linking it to Turkey. The malware is thought to be Arabic in origin as strings “allah” and “hemze” were found obfuscated in the code.
Skype is no stranger to being used as platform to serve malware to unknowing users and businesses. Three years ago, Skype and other similar IM applications were used as a vector to distribute Liftoh (detected by Trend Micro as BKDR_LIFTOH.DBT). Users were sent a malicious link posing as an image from someone on the user’s contact list. If clicked, they are redirected to a website that downloads a weaponized .ZIP file containing the malware. Banking and information-stealing trojan Shylock (detected by Trend Micro as WORM_BUBLIK.GX) was also distributed this way.
In June 2015, security behavior management company PhishMe helped disrupt a campaign that utilized Skype to distribute adware. The campaign was cited to be a part of an affiliate program where attackers are paid for every successful installation of the adware.
In a report by security firm Palo Alto Networks published last February 4th, researchers Josh Grunzweig and Jen Miller-Osborn uncovered a backdoor trojan, disguised an exploit-laden RTF file (Rich Text Format), that records and takes screenshots of all kinds of Skype activity—all while avoiding detection by 24 security products. Its primary targets were organizations in the U.S.
[From the Security Intelligence Blog: Lost Door RAT: Accessible, Customizable Attack Tool]
Victims who have been sent QRAT noticed that the Skype account sending the malicious Java file had spelling mistakes—the official Skype account is “ustraveldocs-switzerland”, whereas the fake one used by the scammers is “ustravelidocs- Switzerland” (the latter had an extra ‘i’ and space).
In addition, Vila’s Skype search of “ustravelidocs” revealed that the cybercriminals may potentially be attempting to target 20 other countries: Bulgaria, China, Cambodia, Dominican Republic, Finland, Germany, Hungary , Indonesia, Kazakhstan, Kuwait, Laos, Morocco, Oman, Pakistan, Philippines, Saudi Arabia, Singapore, Taiwan, Thailand and Vietnam.
Vila advised, “If you are going to look for information on travel visas, you need to double check the Skype handle and the document that you have received. Be aware that a lowercase “l” can be confused with a capital “I” or the number one (1); or a capital “O” can be confused with a zero (0). There are many ways people can be victimized, but with some scrutiny it can be prevented.”
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.