Wednesday, December 27, 2017

Qrypter Java RAT using Tor

Since the 16th of December, almost in a daily basis, I'm seeing a particular family of Java Remote Access using Tor. 



The samples I took a look are rarely detected by AV




The malware communicates via a Tor proxy with the malware developers website https://vvrhhhnaijyj6s2m.onion.top/


Qrypter seems the name of the product, which is developed by a company named 
"QUAverse Research & Development 2017"

One of the feature, according to the developers is its low rating detection. And indeed this is true :)


There is some recent information about "Qrypter" in Twitter from a researcher https://twitter.com/rcherj/status/940252259363016704 and a post from another company, Certego (http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/)

  




That information links Qrypter to Qarallax / Quaverse RAT. Quaverse, is actually the company who is behind QRypter. According to Malpedia, QRat / QRallax RAT have been in the wild since 2015



There is some information about this QRat/Qarallax/Quaverse in several presentations and posts:



In some other Tweets, some analyst links he same behaviour of Qrypter and Adwind JRat





Actually, doing the analysis of the malware I can see similar behaviour like Adwind. 
(I wrote a bit about how to detect Adwind in here)

¨



The samples I took are heavily obfuscated with several layers of embedded JAR files which reminds to the analysis done by malwarebytes and in this post 

Actually, after some analysis of the files I ended up with the same MANIFEST.MF pointing to a Main-Class operationl.JRat which matches Adwind.



And with a bit of further analysis, I end up with the same kind of configuration used by Adwind.




So in essence, this Qrypter looks like Adwind with some additional encryption layers.

By the way, another good analysis of this Adwind malware can be found in this post 


Let's continue taking a look to the specific campaign seen since the 16th of December.

The first sample I detected, which can be found here https://www.virustotal.com/#/file/7e33381a99928f7b346dd613e5712923b6816d1da69b43cf4f12c2d313ed2903/detection already used the domain vvrhhhnaijyj6s2m.onion.top 





The last one the last one detected, at the time of this writing https://www.virustotal.com/#/file/b68eb3096328fa3bfabbeb7a178ea7075539e15ef19fbc65ab3e89f980c60967/detection also used the same domain.



According to PassiveTotal that domain has been active since the 30th of November 2017



The first malicious samples under that domain existed from the 5th of December




But this was not the only domain used by Qrypter, but some other onion domains existed

https://vvrhhhnaijyj6s2m.onion.rip/ - active since 1st of December 2017
https://vvrhhhnaijyj6s2m.onion.to/ - active since 11 of September 2017

And there are some other which looks very fresh:

https://buzw55o32jgyznev.onion.link

https://buzw55o32jgyznev.onion.to/


Qrypter uses a tool to control the plugins installed: Qcontroller. This tool also uses Tor to connect to the he developers website.









Several plugins can be used:








QRypter product seems like the evolution or another version of Qarallax/Quaverse.  Besides the obfuscation and the connection via Tor with the developers website, to install additional plugins, there is not much of innovation on this Java RAT.