Persons that applied for a US visa in Switzerland complained about receiving malware from an unknown person via Skype, posing as a US government official guiding applications through the visa process.
Victims said the person sent them a file named “US Travel Docs Information.jar”, but the thing that rose suspicion was the fact that the Skype account contained a spelling mistake (ustravelidocs-switzerland, notice the extra “i”) that made them realize it was not the official account.
Researchers from F-Secure investigated the case and said they found multiple such accounts, with misspelled names, targeting visa applicants in several other countries as well.
Crooks were spreading a new RAT called Qarallax
that when they analyzed the malicious Java file, they found it to be infected with a never-before-seen malware, an RAT (Remote Access Trojan) that granted attackers access to the victim’s computer.
Researchers named the malware Qarallax RAT because it was connecting to a C&C (command and control) server with an IP that resolved to the qarallax.com domain.
The organization that registered the domain was named QUAverse, which led researchers to believe that this malware is somehow related to thediscovered in May 2015, also coded in Java.
Taking a look at the RAT’s internal functions, researchers found a rebranded versions of the LaZagne password dumping application, but also some unique features.
These included the ability to capture mouse cursor movements, mouse clicks, keystrokes, take webcam snapshots or record webcam videos.
Qarallax RAT available for sale on the Internet
Just like the Quaverse RAT, the Qarallax RAT was also available for sale online. Qarallax’s price ranges from $22 to $900 depending on the period the buyer wants to rent the service, which is in the normal price range of such service.
Because the tool was rented out, it may not be accurate to say that the campaign on the US visa applications is the work of Turkish hackers that speak Arabic, as clues in Qarallax’s source code may make you believe.
Taking interest in persons that might want to leave a country may be of interest to various oppressive governments, who are known to buy surveillance software from all kinds of sources.