Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the “i” between “travel” and “docs”).

Find the differences between the legitimate versus the impostor.

US bound hopefuls who are looking for additional US Visa information might end up talking to cyber criminals who could send them a malicious file. We can see two entries from Skype when we try to search for the legitimate account. If you don’t have keen eyesight, you might choose the wrong account.

Skype showing related search results.

Searching Skype for the string “ustravelidocs” yielded the following results attempting to target other nationalities.

Other possible infection vectors targeting other nationalities.

The file is a JAVA application that runs on operating systems with JAVA Runtime Environment (JRE) installed. It runs silently in the background without any indication to the user. Based on the network activity, the file downloads a couple of JAVA libraries from the IP address of 95.211.141[.]215 which resolves to QARALLAX[.]COM domain. It also connects to the same IP address using port 1714 which it uses as its command and control server.

The application is capable of performing the following behaviors:

• Capture mouse movements and clicks
• Capture keyboard presses
• Control the webcam and take photos or videos

There are other libraries and applications that were hosted from the server but have not been downloaded by the application. One of which is an open source LaZagne application that can retrieve passwords from the following sources:

• WIFI credentials
• Browsers
• Chat applications
• Database
• Mail programs

The group has also made a copy of the LaZagne application and labeled it as their own. It is likely that they will use the relabeled application as an additional feature to their customers willing to pay a premium. The features contained in the “US Travel Docs Information.jar” paints a picture of a malware which is reminiscent of remote access trojan “webcam slaves”.

Relabeled LaZagne application.

The JAR file uses AES encryption and Base64 encoder to obfuscate strings to discourage static analysis. It is Arabic in origin with the strings “allah” and “hemze” found obfuscated within the body. The IP address 95.211.141[.]215 is located in Netherlands but the domain QARALLAX[.]COM has WHOIS history linking it to Turkey. Based on the same WHOIS data, the organization of the domain is “QUAverse” which has a namesake RAT in the write-up from the fine folks at Trustwave. The same string was also referenced as a company in some freelance site profiles and social networks.

Deobfuscation used by the malware before using the strings.

A search for the “QARALLAX” string resulted in product being offered in the BLACKWHITEGUYS forum. One of the sellers is named quanian, notice the resemblance of the name to quaverse, and he joined the forum on March 2016. The domain was first registered on February 2016 with changes in IP address on March 2016. It coincides with their marketing for Qarallax V9 in the forum. The timeline indicates that the Qarallax variant is still new, less than 6 months old. The price for the Qarallax RAT ranges from $22 to $900 depending on the duration of contract from 5 days to a year respectively.

Malware-as-a-Service offering.

Upon purchase, users of the Qarallax RAT will get a “master” and a “slave” program. The users are responsible in expanding their network of slaves by tricking their victim into running the application. The file that was received via Skype is a slave program. The Skype handle and program’s filename tricked the user into believing that they are getting a document from a legitimate source.

The master program connects to the same IP address as the slave program. If the license for the master program is valid, it will then require the user to enter the port number that matches the slave port in order to view the victimized machines.

QRAT asking for TCP Master port number.

If the license is invalid or expired, it will show an “Invalid Master!” prompt message.

Invalid Master Error Prompt.

A wrong port number will not show the list of your “Connected Slaves”.

Wrong port number, showing no slaves.

The following image shows how the interface looks from the criminal’s pov using proper settings.

Screenshot of the Qarallax RAT as advertised by the seller.

The QRAT users, also known as ratters, can differ in the method how they infect their victims. One might prefer to infect victims via Skype and some could prefer email. The ratters do not see each other’s victims unless they have to share their master program and port number.

If you are going to look for information about travel visas, you need to double check the Skype handle and the document that you have received. Be aware that a lowercase “l” can be confused with a capital “I” or the number one (1); or a capital “O” can be confused with a zero (0). There are many ways people can be victimized, but with some scrutiny it can be prevented.

Indicators

• 43c805decf1dc4da19f427f5e5f03f445447735d – US Travel Docs Information.jar
• 9760d73ce78e643013bee69e31016542895e7dbd – Docx.jar
• 04565e7ea292f00cfc8b527055a4e626abb823ee – QMaster_aaabidakhter_1465200828.jar
• 707995bfbc41e7b7a7a07aa5279454f250b4a0cd – QMaster_aaabidakhter_1465196970.jar
• 4f98bc6aa87316b8f0fd6e06d75116c741722a05 – QMaster_aaabidakhter_1465159591.jar
• 7d8b9794242f9e048666cf8e1059f9b31ff7bb27 – QMaster_Jumbo101_1465177016.jar
• 93559f44539470dd23a7ebc4841598b218e8b6cf – QSlave_Jumbo101_1465177106.jar
• ac585e335a09e40005bb18821f193835c4cb7ebd – QMaster_obfrank82_1464945557.jar
• 2df1b5efd04e2251dae7590274e80730f650e32e – QSlave_obfrank82_1464945739.jar
• b1d4fa537863a6922708066d9f826742188b7421 – QSlave_obfrank82_1464940447.jar
• 36ff4a825bc2ce4f68aa4af4dcc574dc21194a6c – QMaster_BZSOFTWARES_1464938048.jar
• 38929e965798909614ba380605811d1ef4d88e74 – QMaster_maakbay_1459134783.jar
• 0a9a57efd987a9fda4f26972ffd87311950d6f68 – QSlave_maakbay_1461488243.jar
• 0d01bda12abaf05c80b345e2b8561ba394212985 – QSlave_maakbay_1460356003.jar
• 2d1e3fdcfaab19c443463d0752e4ce15b61fa57d – QSlave_maakbay_1461916933.jar
• c1157f4d4f72b3f6a8c36589d54472872c239faf – QSlave_maakbay_1464037432.jar
• de07b58a1dce1f52ab1dd69e84ff4d2482649e68 – QSlave_mortyl212_1461488917.jar
• 95.211.141[.]215:80 – IP address where the sample download additional JAVA libraries, plugins.
• 95.211.141[.]215:1714 – IP address where the sample send status to command and control server.
• Qarallax[.]com – Domain name of 95.211.141[.]215
• ustravelidocs-switzerland – Skype user handle that sent the “US Travel Docs Information.jar”