Skype being used to distribute malware

Skype is being used to distribute QRAT malware to unsuspecting travellers looking for help on filling out US, travel documents.

Skype being used to distribute QRAT malware
Skype being used to distribute QRAT malware

Researchers at F-Secure found cyber-criminals attempting to steal the personal information of Swiss nationals, among other travellers, who were looking for help on how to file for visas to visit the United States.

To pull off the scam the bad guys are using malware called QRAT, or Qarallax RAT. In an interesting twist, the malware is being distributed through Skype by criminals posing as US officials offering the needed help, wrote F-Secure's Frederic Vila in a blog. Skype has been used as an attack vector in the past, but for adware.

Vila said the software appears to be about six months old and it was found for rent on a dark web forum with prices starting as low as $22 (£15) for a five-day rental, with an option to lease it annually for $900 (£621).

An incident starts when the victim conducts a Skype search to find more information on how to apply for a US visa. While there is a legitimate place to contact, ustraveldocs -  Switzerland, there are others that pop up in Skype search that look legit, but in fact are fronts for the malware distributors. These can sneak past an unwary person as they look almost identical, ustraveldocs – Switzerland. The 'i' in the middle gives away the bogus Skype account.

The malicious file is a Java application that can run on operating systems with Java Runtime Environment installed, Vila noted.

Once the call is initiated the malware is downloaded onto the victim's computer where it is capable of capturing keystrokes, mouse movements and clicks, as well as controlling the webcam. 

F-Secure also found a copy of the open source LaZagne malware application stored on the same server as QRAT. This could indicate a plan to bundle the two together, and if this is done it would give the criminals the ability to also steal passwords from a user's Wi-Fi, browsers, chat applications and mail programs.

Vila said in his blog that the code does contain some indicators about the malware's origin.

“It is Arabic in origin with the strings 'allah' and 'hemze' found obfuscated within the body. The IP address 95.211.141[.]215 is located in Netherlands but the domain QARALLAX[.]COM has WHOIS history linking it to Turkey,” Vila said.

F-Secure found 21 additional Skype accounts that start with ustraveldocs indicating that the criminals are also trying to target travellers from these countries, but Vila did not have any information that this was taking place.