Delaware, USA – March 20, 2018 – Cybersecurity firm Forcepoint shared information about the recent campaigns, in which attackers used cross-platform trojan Qrypter. In February 2018 the researchers discovered three campaigns targeted more than 240 organizations around the world. Trojan Qrypter is known since 2016, it is created by ‘QUA R&D’group, which continually modifies it and sells as Malware-as-a-Service on underground forums. Typically, this malware is used in small campaigns, and adversaries spread it via phishing emails with malicious attachments. After getting into the system, Qrypter collects information about existing security solutions and uses Windows command ‘taskkill’ to terminate the processes of detected solutions. Malware then connects to Command and Control server at Tor network and provides attackers with remote access to the compromised system.
Attackers communicate with their customers via ‘Black&White Guys’ forum and try to attract resellers for their product. To date, the forum has more than 2300 users registered, and the relative cheapness of the trojan attracts new customers. This malware bypasses most anti-virus solutions but it can be detected with SIEM and DetectTor use case, which helps to uncover any connections to Tor network.