Showing posts with label qrypter. Show all posts
Showing posts with label qrypter. Show all posts

Thursday, May 10, 2018

qthelegend: the new Qrypter for Adwind

Since last December, when I blogged  the first time about Qrypter, I've been tracking Adwind malware using this service. 

 @abuse.ch wrote a very interesting post about the providers hosting the C2 infrastructure which is being used by malware encrypted with Qrypter.
Since a few weeks Qrypter has migrated to a new platform and doesn't use Tor any more










The new version of Qrypter uses a Java application running locally, which encrypts the files.

In order to use the application, the user must be registered and buy a license  (credits). 






I wanted to check if there is any substantial change in how the malware is encrypted with the service, hence I took a look to a recent sample. The behaviour analysis doesn't really show any difference. 



While debugging the malware  I can see the different Java processes executed until the final payload is decrypted and executed

In the end the configuration for the command and controlled is obtained the same way than with previous Qrypter version






During the analysis process, I can see the typical Adwind behaviour executing VB scripts for checking AV installed, local firewall and making itself persistent via the registry











Qthelegend, the new Qrypter, has not really change in terms of how the malware is encrypted.

Publicado por
Etiquetas: , , , , ,

Thursday, March 15, 2018

Inside Qarallax / Adwind / Qrypter leading to Tesla / HawkEye (part 1)

A few months ago I wrote about some Java RAT named QRypter (aka QRat or Qarallax) which is basically Adwind with some layers of obfuscation. The post is here.

Usually, this RAT is used as first stage of the infection. In a second stage additional payload is deployed in the victim. But before I explain this, let's take a look to the capabilities of this QRypter / Adwind.


This RAT written in Java is multiplatform. As it can be seen in the screenshot below is full of functionalities.  


The basic options permits to have full visibility and take control on the victims's file system, processes, connections, etc






But besides that, there are more advance functionalities like capture the webcam, access via Remote Desktop, remote console, retrieve stored password, capture the microphone, key logger, SOCKS proxy, retrieve the data from wallets, etc.


For each of the functionalities, there is an existing module. The modules are original from JBifrost malware, so clearly this is based on JBifrost malware.






Also, the remote console is based on JBifrost


The remote desktop functionality permits also to add new users






But, if all this features are not enough, there is also the possibility to automatically download any additional payload once the victims connects to the C2. This allows to deploy any additional payload to the victims without any interaction in the C2

 

Actually, lot of AgentTesla and HawkEye are being deployed this way.

So, let's talk about a bit AgentTesla and HawkEye

This two families of malware are very close in terms of capabilities and are used by threat actors which operate with similar TTPs. 

HawkEye and AgentTesla main target is to take screenshots of the victims, dump all the passwords stored in different programs (Outlook, browser, etc) and dump all the historical of cute&paste / keylog done in the system. The data is exfiltrated either via HTTP or via mail.

The first thing that happens, after a victim is infected via HawkEye, is that the threat actor receives an email informing that there is a new infection. This is a "Execution Confirmed" message. The content of such data is quite interesting as it contains information about the system, including the name of the file which was the infection vector, the private IP of the system the time frame to log and the functionality enabled.


On the other hand, AgentTesla already provides some data exfiltrated with information about the victim and screenshots in the first email. This is  "screen capture"





HawEye  provides 2 other messages: "stealer records" and "keylog records". The first one is password dumps,  while the second one is all the information recorded in the clipboard and a screenshot

AgentTesla sends two additional set of data: "Keystrokes" and "password recovered".


(To be continued)





Publicado por
Etiquetas: , , , ,

Wednesday, December 27, 2017

Qrypter Java RAT using Tor

Since the 16th of December, almost in a daily basis, I'm seeing a particular family of Java Remote Access using Tor. 

The samples I took a look are rarely detected by AV




The malware communicates via a Tor proxy with the malware developers website https://vvrhhhnaijyj6s2m.onion.top/


Qrypter seems the name of the product, which is developed by a company named 
"QUAverse Research & Development 2017"

One of the feature, according to the developers is its low rating detection. And indeed this is true :)


There is some recent information about "Qrypter" in Twitter from a researcher https://twitter.com/rcherj/status/940252259363016704 and a post from another company, Certego (http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/)

  




That information links Qrypter to Qarallax / Quaverse RAT. Quaverse, is actually the company who is behind QRypter. According to Malpedia, QRat / QRallax RAT have been in the wild since 2015



There is some information about this QRat/Qarallax/Quaverse in several presentations and posts:



In some other Tweets, some analyst links he same behaviour of Qrypter and Adwind JRat





Actually, doing the analysis of the malware I can see similar behaviour like Adwind. 
(I wrote a bit about how to detect Adwind in here)

¨



The samples I took are heavily obfuscated with several layers of embedded JAR files which reminds to the analysis done by malwarebytes and in this post 

 Actually, after some analysis of the files I ended up with the same MANIFEST.MF pointing to a Main-Class operationl.JRat which matches Adwind.



And with a bit of further analysis, I end up with the same kind of configuration used by Adwind.


So in essence, this Qrypter looks like Adwind with some additional encryption layers.

 By the way, another good analysis of this Adwind malware can be found in this post 
Let's continue taking a look to the specific campaign seen since the 16th of December.

The first sample I detected, which can be found here https://www.virustotal.com/#/file/7e33381a99928f7b346dd613e5712923b6816d1da69b43cf4f12c2d313ed2903/detection already used the domain vvrhhhnaijyj6s2m.onion.top 



The last one the last one detected, at the time of this writing https://www.virustotal.com/#/file/b68eb3096328fa3bfabbeb7a178ea7075539e15ef19fbc65ab3e89f980c60967/detection also used the same domain.

According to PassiveTotal that domain has been active since the 30th of November 2017
The first malicious samples under that domain existed from the 5th of December


But this was not the only domain used by Qrypter, but some other onion domains existed

https://vvrhhhnaijyj6s2m.onion.rip/ - active since 1st of December 2017
https://vvrhhhnaijyj6s2m.onion.to/ - active since 11 of September 2017

 And there are some other which looks very fresh:

 https://buzw55o32jgyznev.onion.link

https://buzw55o32jgyznev.onion.to/
Qrypter uses a tool to control the plugins installed: Qcontroller. This tool also uses Tor to connect to the he developers website.







Several plugins can be used:








QRypter product seems like the evolution or another version of Qarallax/Quaverse.  Besides the obfuscation and the connection via Tor with the developers website, to install additional plugins, there is not much of innovation on this Java RAT.











Publicado por
Etiquetas: , , , ,
Subscribe to: Posts (Atom)