Researchers at F-Secure found cybercriminals attempting to steal the personal information of Swiss nationals, and possibly other travelers, who were looking for help on how to file for visas to visit the United States.
To pull off this scam the bad guys are using malware called QRAT, or Qarallax RAT. In an interesting twist the malware is being distributed through Skype by criminals posing as U.S. officials offering the needed help, wrote F-Secure's Frederic Vila in a blog. Skype has been used as an attack vector in the past, but for adware.
Vila added the software appears to be about six-months old and it was found for rent on a dark web forum with prices starting as low as $22 for a 5-day rental and running up to $900 for a year.
An incident starts when the victim conducts a Skype search to find more information on how to apply for a U.S. visa. While there is a legitimate place to contact, ustraveldocs - switzeraland, there are others that pop up in Skype search that look legit, but in fact are fronts for the malware distributors. These can sneak passed an unwary person as they look almost identical,ustravelidocs – Switzerland. The “i” in the middle gives away the bogus Skype account.
The malicious file is a Java application that can run on operating systems with Java Runtime Environment installed, Vila noted.
Once the call is initiated the malware is downloaded onto the victim's computer where it is capable of capturing mouse movements and clicks, keystrokes and control the webcam. F-Secure also found a copy of the open source LaZagne malware application stored on the same server as QRAT. This could indicate a plan to bundle the two together, and if this is done it would give the criminals the ability to also steal passwords from a users Wi-Fi, browsers, chat applications and mail programs.
Vila said in his blog that the code does contain some indicators about the malware's origin.
“It is Arabic in origin with the strings “allah” and “hemze” found obfuscated within the body. The IP address 95.211.141[.]215 is located in Netherlands but the domain QARALLAX[.]COM has WHOIS history linking it to Turkey,” Vila said.
F-Secure found 21 additional Skype accounts that start with ustravelidocs indicating that the criminals are also trying to target travelers from these countries, but Vila did not have any information that this was taking place.