Qrypter MaaS [Malware-as-a-Service] Remote Access Trojan
A new Java-based remote access trojan (RAT), known as Qrypter, has been observed. Developed by the ‘QUA R&D’ criminal group, it is offered on a Malware-as-a-Service (MaaS) basis to compete with the Adwind RAT.
Qrypter is usually used in smaller attacks that deliver only a few hundred emails per campaign, it affects many organizations worldwide. In February 2018 we tracked three Qrypter-related campaigns that affected 243 organizations in total.
Qrypter is typically delivered via malicious email campaigns, each consisting of several hundred messages. When installed, it will download and execute two randomly-named .vbs files in the %Temp% folder to gather information on the firewall and antivirus products present on the device. Registry entries are created to terminate and disable a number of security-related processes, lower overall security settings and initiate Qrypter at start up.
Command And Control Servers
vvrhhhnaijyj6s2m[.]onion[.]top buzw55o32jgyznev[.]onion[.]top
Affected platforms
Microsoft Windows – All versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.