CyberWire Daily - Unwanted guests harvest your information. [Research Saturday]
Episode Date: October 14, 2023Amit Malik from Uptycs joins us to discuss their research titled "Unwanted Guests: Mitigating Remote Access Trojan Infection Risk." Uptycs threat research team identified a new threat referred to as ...QwixxRAT. The Uptycs team discovered this tool being widely distributed by the threat actor through Telegram and Discord platforms. The research states "QwixxRAT is meticulously designed to harvest an expansive range of information from browser histories and credit card details, to keylogging insights." This newly found tool poses a risk to both businesses and individual users Unwanted Guests: Mitigating Remote Access Trojan Infection Risk Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems,
and protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
So basically what we have done is we have designed a threat intelligence system
and this threat intelligence system collects data from open source intelligence as well as some closed and open source sources.
That's Amit Malik. He's director of threat research at Uptix.
The research we're discussing today is titled Unwanted Guests, Mitigating Remote Access Trojan Infection Risk.
And this data that is coming, it's massive amount of data that comes to us and our intelligence analysts, they analyze that data on a daily basis.
So when they were going through this data, then they realized that there is a new kind
of malware that they have seen. Now, based on that, they started the exploration
of their further investigation
to understand what this new malware is.
And they realized that this is a new remote access trojan.
That's how this basically, it was identified.
And you all refer to this as QuixRAT.
RAT, of course, is Remote Access Trojan.
Can you describe to us, typically,
what is the functionality of a RAT?
Correct. I mean, a Remote Access Trojan,
as the name suggests, right,
it's basically the attacker can use it
to control your system remotely.
Now, there are different types of capabilities
and functionalities that come with a remote access trojan.
We are calling this particular remote access trojan
as QuickStrat because that was the name
that we saw inside the code
when we were doing the reverse engineering.
So we saw this name inside the code of the malware.
And specific to the functionality of a RAT, it varies across the malwares. Like in this
case, the QuickStat is capable of doing not only controlling your machine remotely, but it has
some additional capabilities of other malware types like ransomware. It can encrypt the file
of your machine also, depending on the
instruction coming from the command and control.
In general, the remote access trojan is basically somebody that talks to a command and control
server, get the instruction, and then execute them.
It can be screen capture.
It can be taking backups off or exfiltrating your passwords
from your password stores,
and then key logging and all these kind of stuff
that in general done by the remote access trojans.
And QuixRat is for sale here?
Folks can buy various versions of this?
Correct.
So basically the attacker attacker tried to...
It's a two-way process that the attackers are using.
One is that they are also distributing
the trial version of it, right?
So that you can try out the functionality
you can see about it.
The other thing is they are also like,
if you are happy with the trial version,
then you can actually purchase
the advanced version from them, right?
And then use it for your purposes,
and they will create the infrastructure for you, right?
So essentially, the RAD uses the Telegram.
So Telegram is kind of a chat services,
and they can create, you know, separate channels for you
so that you can monitor the RAT using the telegram. security. Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches
continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record
payout in 2024. These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Well, let's walk through the workflow here of quick thread.
How does someone typically find themselves infected,
and then how does it go about doing the things it wants to do?
So basically what really happens is the quick spread attackers,
they are selling it into the market
and the other attackers can actually purchase it
and then they can bundle it with their attack.
So right now we are unsure of how the initial attack is done,
meaning that it could be a malicious document file
or a PDF file where the link is embedded inside
and maybe an email is sent to the user
where they might click on that email, right, on the link
or might open the attachment,
and that ultimately downloads and executes this quick thread, right?
So essentially, after the infection,
once it lands into your system, it does a couple of things like it creates, it identifies whether it's running into the virtual environment or not.
Normally, the security companies, they use the sandbox to run the malware for a specific time
inside the virtual environment so that they can analyze the artifacts of the particular malware.
So what this malware is doing is it's identifying the virtual machine environment.
And if it sees that it's running inside that, then it will exit itself.
And the other mechanism that it has is basically it creates new text to run its single copy
or a single process at a time.
And once it basically starts inside your system, then it can pretty much do anything.
Like, you know, there are some interesting capabilities.
Like, we do not see normally in the recent RADs
those functionality.
Like, it can control your CD-ROM driver also.
Now, CD-ROM driver is not very popular.
These days, it was back in the days, right?
So back in the days, the RAD used to have that functionality.
But it also had that
functionality. So what we feel is that
it has used
some old code of
some of the RADs, right?
And our link is somewhere around
ToxicEye, and it has
modified that code and created
this new version
of this RAID. So
once it is installed on your machine,
it can actually control the entire things on your machine.
It can take a screenshot,
it can capture all of the keys that you are pressing,
it can extract the password from your Google Chrome
and Firefox and other browsers.
There are lots of services that it supports,
like your telegraph credentials
and many other things that
are supported inside that we
have listed on our blog.
Yeah, that's
from a Killchain perspective that
it does.
Yeah, and as you mentioned,
the blog really lists
quite a number of things that it's capable
of doing here.
We don't have time to go through all of them,
but are there any that are particularly interesting to you
that really caught your eye in terms of its capabilities?
Yeah, so one thing that we realized in this RAT
is that it has a functionality of encrypting your files as well.
So this is a kind of functionality we see in the ransomware attacks.
So that's not normal behavior of a remote access trojan
because a remote access trojan provides you the access
and then you can accelerate the data and so on and so forth.
But in this case, you can also damage the data
where it can encrypt the files on your machine
and then it can delete the files and it can decrypt the file as well.
So there is some motivation behind the RAID,
not just extracting the information,
but doing the damage on the information.
And they may be asking for a ransom
and this type of activity further in the attack.
So that is something that we see as a kind of relative linear.
And the other thing that is interesting about this RAID
is that it's not using
the conventional command and control like
you have attacker-hosted infrastructure
where, you know, you are receiving the
commands from the attacker-hosted
infrastructure. Instead, what these guys are
doing is they are using Telegram
as their command and control.
So, Telegram is a normal
chat application, right,
used by the organizations and the people around the world.
So, you know, using the Telegram to control the remote access trolls,
and it's something that we are seeing in recent past,
like, you know, in a couple of one or two years,
there is a significant rise in the malwares
that are using Discord and Telegram to carry out their operations.
So that's also kind of
interesting in this malware.
Well, what are your recommendations
for folks to protect themselves
against this?
So in general, Dave,
what we recommend to the people is that
you should not really click
any link coming
inside your image.
Think twice about clicking the link or think twice about opening an attachment that is there.
Clicking on those things and do not really browse
the random websites that are there.
But even then, there are possibilities
that there could be a zero day that
might lands up and then, you know,
install this type of malware on the system.
So the best protection is to keep your
security controls up to date
and keep your system up to
date, all your browsers, all your
email clients, all the chat softwares
up to date, and apply all the
security patches that are coming.
And then be vigilant about clicking all the links and opening and browsing unnecessary stuff on the system.
So these are the methods that we recommend.
How good is this at hiding itself?
Are there indicators of compromise that are able to detect it routinely, or is it pretty stealthy?
So in terms, I mean, it is doing some of the work to bypass the detection mechanisms like the antivirus and the EDR.
So normally it is trying to, it's using a function called wait command thread. And the purpose of that function is to wait when it does the activity
so that the monitoring
or the correlation
that is done by the security software
can be kind of broken in between.
So some functionality is there
in order to evade
the detection mechanisms,
but there are kind of,
we would say that
the indicator of compromise,
like we have also reduced Yara rule that scans the process memory.
So process memory is a much more sophisticated way of detecting a malware, right?
So, you know, we can do the process memory scan to identify
if this malware is there, is executed on the system.
But apart from that, it also touched the other files
like browser credentials
and stuff like that.
And normally the security software
doesn't monitor
if there is any access
or any third party
is trying to access
these password store files
or history and stuff like that.
So the malware is trying itself
to make it stealthy
as much as possible.
But we do also see
that there is an opportunity
for the security softwares at the defender side
that there is enough evidence, you know,
that people can detect it.
Is there any sense for how widespread this is?
So as of now, we do not really know
like how bigger the impact is.
Right now, we know that there was a telegram channel
where the attackers were actually
broadcasting it, and
there were two models. One is that you can
try out as a free trial, and you can
purchase it. And there
was also a distributor
model, meaning that you can be a distributor
where you can distribute this forward,
and then they will compensate you as a part
of that process, right?
The moment we released the blog,
after around two weeks,
we again, you know, tried to reach
that Telegram channel
that was making these announcements.
And now we see that that channel is private.
Now we cannot access that anymore.
So earlier it was public
and people could access that.
So as of now, we do not know
the overall scope of like how bigger the attack is and how people are infected.
Our thanks to Amit Malik from Uptix for joining us. The research is titled Unwanted Guests, Mitigating Remote Access Trojan Infection Risk.
We'll have a link in the show notes.
And now a message from Black Cloak.
And now a message from Black Cloak.
Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
Thank you. technologies. This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman. Our executive editor is Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.