HQ/EMEAFind out how we can help your business
A new Windows remote access trojan, QwixxRAT, is spreading across the cybersecurity landscape via Discord and Telegram. Based on reports, the new RAT could harvest sensitive data and exfiltrate them by sending the information to an attacker-controlled Telegram bot. Moreover, the attackers also use the Telegram bot to manage and remotely control the remote access trojan.
The researchers explained that the RAT discreetly harvests sensitive information after its operators install it on a victim’s Windows device. Next, the malware will send the collected data to the attackers’ Telegram bot, providing them with unauthorised data access.
The new QwixxRAT could avoid detection through Telegram.
According to investigations, the newly uncovered QwixxRAT adopts a command-and-control functionality through a Telegram bot to bypass security detection from AV solutions. Hence, the technique allows the threat actors to control the RAT and manage its operations remotely.
The experts also emphasised that the RAT developers created the payload to steal specific information, such as browser histories, screenshots, keystrokes, and credit card details.
The researchers discovered the malware earlier this month and claimed that the remote access trojan could execute a particular set of capabilities to get an efficient success rate.
Currently, the RAT developers offer QwixxRAT for merely 2 dollars for a weekly subscription and about 5 dollars for a lifetime subscription. However, the researchers also identified that the RAT is available for a limited free version.
The malware developers code QwixxRAT RAT in C# compiled binary that behaves as a 32-bit executable for CPU operations. Furthermore, the malware supports 19 functions that each serve a designated purpose.
The malware also employs several anti-analysis features and evasion techniques. Separate researchers also noticed that the RAT uses a sleep prompt to delay and determine if it is within a debugger tool. Additionally, the malware establishes persistence by developing a scheduled task for the hidden archive in C:\Users\Chrome\rat[.]exe.
Lastly, the QwixxRAT adopts a self-destruction capability for the C# program and includes a clipper code to collect data copied to the clipboard. These techniques could allow hackers to exfiltrate Ethereum, Monero, and Bitcoin crypto data.
