14 DAY TRIAL // People who applied for a US visa in Switzerland complained about receiving malware from an unknown person via Skype, posing as a US government official guiding applications through the said process.
The victims said the person sent them a file named "US Travel Docs Information.jar," but what rose suspicion was the fact that the Skype account contained a spelling mistake (ustravelidocs-switzerland, notice the extra "i"), and that made them realize it was not the official account.
Researchers from F-Secure investigated the case and announced they found multiple such accounts, with misspelled names, targeting visa applicants in several other countries as well.
Crooks were spreading a new RAT called Qarallax
F-Secure says that when they analyzed the malicious Java file, they found it to be infected with never-before-seen malware, an RAT (Remote Access Trojan) that granted attackers access to the victim's computer.
Researchers named the malware Qarallax RAT because it was connecting to a C&C (command and control) server with an IP that resolved to the qarallax.com domain.
The organization that registered the domain was named QUAverse, which led researchers to believe that this malware is somehow related to the Quaverse RAT discovered in May 2015, also coded in Java.
Taking a look at the RAT's internal functions, researchers found a rebranded versions of the LaZagne password dumping application, but also some unique features.
These included the ability to capture mouse cursor movements, mouse clicks, keystrokes, take webcam snapshots or record webcam videos.
Qarallax RAT available for sale on the Internet
Just like the Quaverse RAT, the Qarallax RAT was also available for sale online. Qarallax's price ranges from $22 to $900, depending on the period for which the buyer wants to rent the service. It's worth noting that this is in the normal price range of such service.
Because the tool was rented out, it may not be accurate to say that the campaign on the US visa applications is the work of Turkish hackers who speak Arabic, as clues in Qarallax's source code may make you believe.
Taking an interest in persons who might want to leave a country sounds like something various oppressive governments would do, as they are known to buy surveillance software from all kinds of sources.
