QwixxRAT: A New Windows RAT Emerges in the Threat Landscape

Cyber Security Threat Summary:
The Uptycs Threat Research team discovered the QwixxRAT (aka Telegram RAT) in early August 2023 while it was advertised through Telegram and Discord platforms. According to the experts, QwixxRAT is meticulously designed to steal a broad range of information, including data from browser histories, credit card details, screenshots, and keystrokes. The cybersecurity company, which discovered the malware earlier this month, said it’s “meticulously designed” to harvest web browser histories, bookmarks, cookies, credit card information, keystrokes, screenshots, FTP credentials, messenger data, and data from the Steam platform. The RAT is available for 150 rubles for a weekly subscription and 500 rubles for a lifetime subscription, however, the researchers also noticed the availability of a limited free version. The RAT is able to collect sensitive data and exfiltrate them by sending the info to the attacker’s Telegram bot.

Security Officer Comments:
The malware implements multiple anti-analysis features and evasion techniques. Experts noticed that the RAT uses a sleep function to introduce a delay and determined if it is being run under a debugger. The malicious code also runs checks to determine whether it’s running within a sandbox or virtual environment. Threat actors remotely control the RAT and manage its operations through a Telegram bot, “Once installed on the victim’s Windows platform machines, the RAT stealthily collects sensitive data, which is then sent to the attacker’s Telegram bot, providing them with unauthorized access to the victim’s sensitive information.”reads a new report published by security firm Uptycs. To avoid detection by antivirus software, the RAT employs command and control functionality through a Telegram bot. This allows the attacker to remotely control the RAT and manage its operations.”

T1566 - Phishing Threat actors use various thirdp-arty services and applications for the above.

T1027 - Obfuscated Files or Information
The threat actor intentionally conceals the console window to remain covert and obscure the presence of malicious activities. This strategy aims to hinder detection by security measures. Additionally, the RAT utilizes various anti-analysis methods such as sandbox checks, virtual environment detection, and debugger identification to further obfuscate its operations and evade scrutiny

T1055 - Process Injection
The RAT (QwixxRAT) is designed with the capability of process injection, allowing the attacker to stealthily inject malicious code into other running processes. This technique enables the attacker to evade detection and gain control over victim devices.

T1059 - Command and Scripting Interpreter
Threat actors can exploit C# as a means to manipulate command and script interpreters, enabling them to execute a range of commands, scripts, or binaries. These interfaces and programming languages offer avenues for interacting with computer systems, constituting a pervasive feature found across diverse platforms.

T1087 - Account Discovery
The threat actor behind the QwixxRAT is capable of gathering sensitive data from compromised systems, including details about user accounts. The RAT stealthily collects various information such as computer details, machine name, username, and more. This data likely includes information about user accounts present on the victim's machine, aiding the threat actor in their malicious activities.

T1053.005 - Scheduled Task/Job
The malware maintains persistence by creating a scheduled task for the hidden file located at “C:\Users\Chrome\rat.exe”.

T1071 - Application Layer Protocol
Information is gathered and exfiltrated over common protocols via telegram and discord.

T1070 - Indicator Removal
The QwixxRAT threat actor employs a self-destruction mechanism by generating a temporary batch script. This script waits for the ongoing process to finish before proceeding to delete the RAT's executable file.

Suggested Correction(s):
Implementing endpoint protection and blocking unnecessary services are critical cybersecurity practices. Endpoint protection tools safeguard devices from malware and unauthorized access, while service blocking mitigates risks linked to using non-essential services such as Telegram and Discord. These combined measures proactively deter attacks and uphold the security of sensitive data.

The researchers published a YARA detection rule as well as IOCS for this threat.