Security researchers have revealed how a Java-based remote access tool dubbed "Qrypter" is gaining popularity over existing cross-platform backdoors such as Adwind as an efficient Malware-as-a-Service (MaaS) platform even though it was first launched only a couple of years ago.
Malware-as-a-Service (MaaS) platforms have been used widely by malicious actors over the years to infect enterprise IT systems and personal computers that are secured by traditional anti-virus products. Such platforms are often offered for sale on the dark web for one-time operations or as a package for regular use.
One such platform which has been used frequently by hackers to infect computer systems is Adwind, a remote access tool which is rented out by its developers on the dark web for US$ 80 (£56) per month to hackers. In order to hide such transactions, Adwind's creators accept payments in Bitcoin and other cryptocurrencies.
Security researchers at Forcepoint recently discovered that hackers have started using a new Malware-as-a-Service (MaaS) platform with increasing regularity. Dubbed "Qrypter", the Java-based remote access tool, which has often been mistaken by researchers as Adwind because of the similarities in their code, is now being sold on the dark market for exactly the same price as Adwind.
According to Forcepoint researchers, Qrypter was first used in March 2016 and again three months later to target individuals applying for a US Visa in Switzerland, thereby attracting the attention of researchers. The frequency of its use across the world grew significantly since then and as of February 2018, up to 243 organisations were found to be affected by three separate Qrypter-related campaigns.
The use of Qrypter basically involves hackers injecting the tool into victims' systems using phishing emails designed to lure such victims into downloading malicious attachments. Once it infiltrates a computer, it drops and executes two VBS files in the %Temp% folder using random filenames which, in turn, collect details of any firewall and anti-virus products on the victim's PC.
Once such details are obtained, Qrypter executes a .REG file stored in the %Temp% folder using a random filename, thereby lowering overall security settings and preventing security-related processes from executing. Once this step is completed, the tool connects to its TOR-based command and control server and executes a range of backdoor functionality such as manipulating file systems, installing additional files, controlling the Task Manager and gaining access to the PC's webcam.
The researchers discovered that Qrypter in addition to being available to rent, can also be bought in three-month or one-year subscriptions. Its creators accept payments in PerfectMoney, Bitcoin-Cash, or Bitcoin and one such Bitcoin address used by them was found to have received a total of 1.69 BTC in payments.
"While the Qrypter MaaS is relatively cheap, QUA R&D's occasional release of cracked competitor products may exponentially increase attacks in the wild by making potent crimeware accessible to anyone for free. However by understanding how cyber-criminal enterprises such as QUA R&D operate, we are better positioned to develop defence strategies and predict future developments," they said.
Commenting on the surge in demand for Qrypter on the dark web, Ed Williams, director, EMEA of SpiderLabs at Trustwave, told SC Magazine UK that with 243 organisations being actively exploited, it is clear that organisations are not equipped to deal with MaaS as a platform. The reason why the platform has achieved success so far is that it exploits common issues and vulnerabilities that are prevalent across enterprise IT systems.
"Looking at the way the malware operates any number of defence in depth measures would render the malware in-effective. To increase assurance and maturity, organisations need to consider the way attackers use TTPs (tools, techniques and procedures) and mitigate against these through enhancements around people, process and technology.
"Looking at Qrypter specifically, I see the desktop as the new battleground, and with an un-hardened desktop you are waiting to get comprised in this fashion, white listing of applications should be a base requirement," he said.
Williams added that with cloud based email providers increasing their tooling and protection and response around malicious emails through Anti-Impersonation Enhancements, greater granularity of trusted external sources and mature content-based attack analysis, such tools can be leveraged to increase assurance along with other defence in depth measures.