QRAT Malware Targets Visa Applicants on Skype

June 23, 2016 | By Natasha Devotta
1 Star2 Stars3 Stars4 Stars5 Stars
Loading...

Skype has become a part of our online video communication. It is a popular software application that provides text chat, video chat and voice call services. While there are other similar products, it has features and functionality that are comparatively much better. Skype is a very popular communication application and it has induced cyber criminals to use its popularity to spread adware. Malware threats to Skype users can be prevented through internet security.

Recently, Skype users who had applied or were applying for a US Visa in Switzerland had been targeted with a sophisticated malware known as the Qarallax RAT (QRAT). Specifically, travelers planning to travel to the US, who had been trying to find out the way to acquire US Visas had been targeted. Posing as US officials the cyber criminals offered their assistance for Visa seekers. They sent a file named as US Travel Docs Information.jar from a Skype account with id : ustraveldocs-switzerland. The id and file name look pretty authentic unless you observe an error – a typo or misspelling in the id – there is an “i” in between “ustravel” and “docs.” While this is quite important, it may not be considered as a grave error. But, these could be indications that users should generally be aware and wary of.

Malicious QRAT Records Keystrokes

In this case, this file was malicious. It was a “.jar” JAVA application that runs in the background. Files with these extensions can run on operating systems that have JRE – (JAVA Runtime Environment) installed and this is quite a common practice. This application then downloads JAVA libraries and the malware gets set and connects to a command and control server. The QRAT can record keystrokes, mouse clicks and movements. It can also take control of the webcam and surreptitiously take photos and videos. If the system had an effective antivirus that auto-sandboxed all new, suspicious files, then this malware infection could have been stopped.

The recorded data is then sent to the cybercriminals, and as it takes place in the background the users were not aware of the infection. The cyber criminals also attempted to install malware that could retrieve passwords from internet browsers, mails programs, chats and other login credentials.

The investigation revealed that numerous other false Skype ids had been created that targeted US Visa applicants of other countries. The Skype directory revealed “ustraveldocs- switzerland”, “ustraveldocs- china”, etc.., that targeted Visa applicants of other countries.

QRAT for Sale

The Qarallax RAT malware was being offered for sale on the BLACKWHITEGUYS forum. The renting price was $22 for 5 days and $900 for a year. The QRAT consists of master and slave components. The purchaser/ leaser of the QRAT spreads the slave program infection through Skype or through mail. A user becomes a victim when the malicious file is executed. As the file seems to be from a legitimate source, many users searching for US Visa information had fallen for the malware. The master component of QRAT allows the cyber criminals to view the systems/machines that have become slaves.

Protection Against QRAT, Other Malware

Users must be wary of downloading or executing any file downloaded from the internet, even from valid mail programs or communication programs like Skype.
Users must install effective internet security – with an antivirus that functions based on default-deny approach and auto-sandboxing of unknown/ new files.
Execute all new files in a sandbox.

Nowadays, cybercriminals tune up existing malware so that the malware does not get detected by traditional antivirus programs. It is only through Internet security with auto-sandboxing Antivirus programs that present-day malware and zero-day exploits can be prevented.

Internet security

Be Sociable, Share!
Be Sociable, Share!

Add new comment

Your name
Comment

You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>