US visa applicants in Switzerland are falling victim to a hitherto unknown malware called Qarallaz RAT or QRAT, which is being distributed via Skype by an unknown entity posing as a US government official. Upon further investigation, security researchers uncovered that the malware has been active elsewhere as well, targeting US visa applicants in various countries.
F-Secure security researchers claim that hacker/hackers posing as US government officials, claiming to provide guidance on visa application procedures, have been sending people a malicious Java file named "US Travel Docs Information.jar", containing a new strain of RAT (Remote Access Trojan), which enables hackers to gain access to victims' computers. The QRAT malware has the alarming ability to seize mouse clicks, cursor movements, keystrokes and even remotely operate and manipulate webcam operations such as taking snapshots or videos.
The malware was found to be connected to a C&C (command and control) server within the qarallax.com domain, leading researchers to name it Qarallax RAT. Victims are reported to have found the Java file suspicious after noting that the Skype account sending the file had an extra "i" (ustravelidocs-switzerland).
F- Secure security researcher Frederic Vila cautions: "If you are going to look for information about travel visas, you need to double check the Skype handle and the document that you have received. Be aware that a lowercase "l" can be confused with a capital "I" or the number one (1); or a capital "O" can be confused with a zero (0). There are many ways people can be victimized, but with some scrutiny it can be prevented."
F-Secure's analysis of the malware led to the discovery of the domain name being registered to an organisation called QUAverse, which suggested that the new malware strain may be connected to the Quaverse RAT malware, which was first identified in 2015. Quaverse RAT was also found to have been coded in Java, not unlike Qarallax RAT. The similarities do not end there. Like its likely predecessor, QRAT is also available for sale online and can be rented for amounts varying from $22 to $900.
QRAT coding indicates that the hackers executing the malware may be from Arabic-speaking regions like Turkey. However, given that the malware is available for rent, it is possible that the malware is now being used by entities that had little to do with creating it.