A new Java-based remote access trojan (RAT), known as Qrypter, has been observed. Developed by the ‘QUA R&D’ criminal group, it is offered on a Malware-as-a-Service (MaaS) basis to compete with the Adwind RAT.
Qrypter is usually used in smaller attacks that deliver only a few hundred emails per campaign, it affects many organizations worldwide. In February 2018 we tracked three Qrypter-related campaigns that affected 243 organizations in total.
Qrypter is typically delivered via malicious email campaigns, each consisting of several hundred messages. When installed, it will download and execute two randomly-named .vbs files in the %Temp% folder to gather information on the firewall and antivirus products present on the device. Registry entries are created to terminate and disable a number of security-related processes, lower overall security settings and initiate Qrypter at start up.
Command And Control Servers
Microsoft Windows – All versions