Research Saturday 10.14.23
Ep 303 | 10.14.23

Unwanted guests harvest your information.


Dave Bittner: [Music] Hello, everyone, and welcome to the "CyberWire's Research Saturday." I'm Dave Bittner. And this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Amit Malik: So basically, what we have done is we have designed a threat intelligence system. And this threat intelligence system collects data from open source intelligence as well as some closed and open source sources.

Dave Bittner: That's Amit Malik. He's a director of threat research at Upticks. The research we're discussing today is titled "Unwanted Guests, Mitigating Remote Access Trojan Infection Risk."

Amit Malik: And this data that is coming, it's massive amount of data that comes to us and our intelligence analysts, they analyze that data on a daily basis. So when they were going through this data, then they realized that there is a new kind of malware that they have seen. Now, based on that they started the exploration of the further investigation to understand what this new malware is, and they realize that this is a new investigation. That's how this basically, it was identified.

Dave Bittner: And you all refer to this as QwixxRAT. RAT, of course, is remote access Trojan. Can you describe to us is that typically, what is the functionality of a RAT?

Amit Malik: Correct. I mean, a remote access Trojan as the name suggests, right, it's basically the, I can use it to control your system remotely. Now there are different type of capability and functionalities that comes with a remote access Trojan. We are calling this particular remote access Trojan as QwixxRAT because that was the name that we saw inside the code of when we were doing the reverse engineering. So we saw that this, right? And specific to the functionality of a RAT, it varies across the malwares. Like, in this case, the QwixxRAT is capable of doing not only your controlling your machine remotely, but it has some additional capabilities of other malware types, like, ransomware, it can encrypt the file of your machine also, depending on the instruction coming from the command and control. In general, the remote access Trojan is basically somebody that talks to a command and control server, get the instruction, and then execute them. It can be screen capture, it can be, you know, taking backups off or, you know, exfiltrating your passwords from your password stores. And then, you know, key logging and all this kind of stuff that in general than by the remote access Trojans.

Dave Bittner: And QwixxRAT is for sale here, folks can buy various versions of this?

Amit Malik: Correct. So basically, the attacker tried to -- it's a two way process that the attackers are using. One is that they are also distributing the trial version of it, right? So that you can try out the functionality, you can see about it. The other thing is they are also, like, if you are happy with the trial version, then you can actually purchase the advanced version from them, right? And then use it for your purposes and they will create the infrastructure for you, right? So essentially, the red uses the telegram, so telegram is kind of a chat services and they can create, you know, separate channels for you so that you can monitor the QwixxRAT using the telegram. [ Music ]

Dave Bittner: Well, let's walk through the workflow here of QwixxRAT. How does someone typically find themselves infected? And then how does it go about doing the things it wants to do?

Amit Malik: So basically, what really happens is the QwixxRAT attackers, they are, you know, selling it into the market and, you know, the other attackers can actually purchase it, and then they can bundle it with the, with, right? So right now we are unsure of how the initial attack is done, meaning that it could be a malicious document file or a PDF file where the link is embedded inside and maybe an email is sent to the user where they might click on that email right on the link or might open the attachment and that ultimately downloads and executes this QwixxRAT, right? So essentially after the infection, once it lands into your system, it does a couple of things. Like, it creates its identifier, whether it's running into the virtual environment or not. Normally, the security companies, they use the sandbox to run the malware for a specific time inside of the virtual environment so that they can analyze the artifacts of the particular market. So what this malware is doing is it's identifying the virtual machine environment. And if it sees that it's inside that it will exit itself. And the other mechanism that it has, it's basically it creates new text to run. It's a single copy or a single process at a time, right? And once it basically starts inside your system, then it can pretty much do anything. Like, you know, there are some interesting capabilities, like, we do not see, normally in the REX, those functionality, like, it can control your CD ROM driver also, right? It can. Now D ROM driver is not very popular these days, it was back in the days, right? So back in the days, the red used to have that functionality, but it also have that functionality. So what we feel is that it has used some own code of some of the RATs, right? And our link is somewhere around. And it has modified that code and created this new version of this RAT. So once it is installed on your machine, it can actually control the entire thing on your machine. It can take screenshot, it can capture all of the keys that you are pressing, it can -- you extract the password from your Google Chrome and Firefox and other browsers. There are lots of services that it supports, like, your credentials, and many other things that are supported inside that we have listed on our blog. Yeah, that's, I mean, the perspective that it does.

Dave Bittner: Yeah. And as you mentioned, and the blog really lists quite a number of things that it's capable of doing here. We don't have time to go through all of them. But are there any that are particularly interesting to you that really caught your eye in terms of its capabilities. 

Amit Malik: Yeah. So one thing that we realized in this, that is that it has a functionality of encrypting your files as well, right? So this is a kind of functionality we see endurance where it is, right, so that's not normal behavior of a remote access Trojan. Because rapid remote access Trojan provides you the access, and then you can exfiltrate the data and so and so forth. But in this case, you can also damage the data where it can encrypt the files on your machine, and then you can delete the files and it can decrypt the file as well. So there is some motivation behind the red, not just extracting the information, but doing the damage on the information, and then maybe, you know, asking for a ransom and type this type of activity further. So that is something that is we see is a kind of thing. And the other thing is the interesting about this red is that it's not using the conventional command and control like you have attacker posted infrastructure where, you know, you are receiving the command. So instead, what these guys are doing is they are using telegram as their command and control. So telegram is a normal chat applications, right, used by the organizations and the people around the world. So, you know, using the telegram to control the remote access Trojan, it's something that we have seen in recent past, like, you know, in couple of one or two years, there is a significant rise in the malwares that are using this code and telegraph to carry out their operations. So that's also a kind of interesting in this malware.

Dave Bittner: Well, what are your recommendations for folks to protect themselves against this?

Amit Malik: So in general, what we recommend to the people is that you should not really click any link inside, coming inside your backdoor from, you know, think twice about clicking the link or think twice about opening an attachment that that is there, right? Clicking on those things and do not really browse the random web sites that are there, right? But even then, you know, there are possibilities that you there could be a zero day that might lens up and then, you know, install this type of malware on the system. So the best protection is to keep your security controls up to date. And keep your system up-to-date, all your browsers, all your email claims or the chat software is up to date and apply all the security patches that are coming. And then be vigilant about clicking all the links and opening and, you know, browsing unnecessary stuff on the system. So these are the methods that we recommend.

Dave Bittner: How good is this at hiding itself? Are there indicators of compromise that are able to detect it routinely, or is it pretty stealthy?

Amit Malik: So in terms, I mean, it is doing some of the work to bypass the detection mechanisms, like, the antivirus and the EDR. So normally the strain to -- it's using a function called Wait command threat And the purpose of that function is to wait where he does the activity so that the monitoring or the correlation that is done by the security software it can be kind of broken in between, right? So some functionalities there in order to evade the detection mechanisms, but they are kind of we would say that the indicator of compromise, like, we have a rule that scans the process memory. So process memory is a much more sophisticated way of detecting a malware, right? So, you know, we can do the process of memory scan to identify if this malware is there is executed on the system. But apart from that it also touched the other files, like, browser credentials, right, and stuff like that. And normally, the security softwares doesn't monitor if there is any access or any other third party is trying to access these password store files of history and stuff like that. So the malware is trying itself to make it stealthy as much as possible. But we do also see that there is an opportunity for the for the security softwares and the defender side that there is enough evidence, you know, the people can detect it.

Dave Bittner: Is there any sense for how widespread this is?

Amit Malik: So as of now, we do not really know, like, how bigger the impact is. Right now, we know that there was a telegram channel where the attackers were actually broadcasting it. And there were two models. One is that you can try out as a free trial and you can purchase it and there were all there was also a distributor model, meaning that you can be a distributor where you can distribute this forward and then they will compensate you as a part of that process. Right? The moment we released a blog after around two weeks, we again, you know, tried to reach that telegram channel that was making these announcements. And now we see that that channel is private now. We [music] cannot access that anymore. So earlier it was public and people could access that. So as of now we do not know the overall scope of, like, how. [ Music ]

Dave Bittner: Our thanks to Amit Malik from Upticks for joining us. The research is titled "Unwanted Guests, Mitigating Remote Access Trojan Infection Risk. We'll have a link in the show notes. [ Music ] The "Cyberwire Research Saturday Podcast," is a production of N2K networks, proudly produced in Maryland out of the startup studios of Data Tribe where they're cobuilding the next generation of cybersecurity teams and technologies. This episode was produced by Liz Erban, and Senior Producer Jennifer Eiben. Our mixer is Elliot Peltzman. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. [ Music ]