A new remote access trojan “QwixxRAT” has caught the security researchers’ attention while targeting Windows systems. The threat actors are spreading QwixxRAT malware, also known as “TelegramRAT”, via Telegram and Discord to infect Windows systems.
QwixxRAT Emerges As The Latest Windows Malware
In a recent post from the Uptycs Threat Research team, the researchers have elaborated on a newly discovered Windows malware, “QwixxRAT”, running active campaigns.
Also named “TelegramRAT,” the malware disseminates via communication platforms like Telegram and Discord, to infect Windows PCs. Upon reaching the target devices, the malware steals a wide range of data from the target systems, alongside performing keylogging and allowing explicit remote access to the threat actors.
Specifically, QwixxRAT is a C# compiled binary, capable of executing different functions. These functions enable the malware to remain undetected as a CPU program, prevent duplicate execution to evade detection, develop secure communication with servers, gain elevated (preferably, admin) privileges, and escape sandbox, VMware, and other security measures. In addition, the RAT also exhibits self-destruction capability to evade detection.
Moreover, the malware also includes other functionalities to ensure persistence on the target system for long without raising alarms. These include keylogging, process monitoring (detecting running processes such as “taskmgr” to shutdown network activities and avoid detection until the process ends), capturing screenshots, extracting login credentials, and stealing messenger data and Steam data.
Besides, the malware also targets a wide range of web browsers, including the secure browsers like Brave, Epic, and Comodo, to steal information. The targeted data includes browser history, stored credentials, crypto wallets, and FTP credentials, bookmarks, auto-fill information including credit card details, and more.
Alongside stealing information, the malware also works as a clipper to steal copied information from the clipboard. Also, it acts as a potent spy tool, giving access to the device’s microphone and camera.
The malware transmits all stolen information to the threat actors via a Telegram channel.
Stay Wary To Avoid Malware Attacks
The researchers have published the YARA rule for detecting QwixxRAT that users can use to protect their systems. Besides, they advise the users to remain careful by deploying multi-factor authentication on important accounts, securing webcams by disconnecting them from the internet when idle, monitoring bank statements for suspicious transactions, and staying wary when interacting with unsolicited or suspicious emails.
Let us know your thoughts in the comments.
