Threat Research

QWERTY Data Theft Tool – CYFIRMA

Securonix

The report analyzes the QWERTY Info Stealer malware hosted on a Linux-based VPS in Frankfurt, Germany, highlighting its anti-debugging and extensive data-exfiltration capabilities. It downloads additional payloads and exfiltrates collected data to a C2 server via HTTP POST requests. #QwertyInfoStealer #mailservicess #Frankfurt #Linux

Keypoints

  • The malware ‘QWERTY Stealer’ is hosted on the domain mailservicess[.]com.
  • It downloads from URL hxxps://mailservicess[.]com/res/data/i.exe.
  • It is hosted on a Linux-based VPS in Frankfurt, Germany.
  • The malware uses multiple anti-debugging techniques.
  • It creates directories to store collected data and telemetry.
  • It gathers system information and Internet Explorer data.
  • It downloads and executes additional payloads named in.exe and up.exe.
  • It indexes all files in a system and uploads them to the C2 server.
  • The malware uses the keyword ‘qwerty’ in HTTP calls during exfiltration.

MITRE Techniques

  • [T1041] Exfiltration Over C2 Channel – Uses HTTP POST requests to send collected data to the C2 server. ‘Uses HTTP POST requests to send collected data to the C2 server.’
  • [T1071.001] Web Protocols – Communicates with the C2 server to download additional payloads. ‘Communicates with the C2 server to download additional payloads.’
  • [T1086] Anti-Debugging – Employs techniques to check for the presence of debuggers using Windows API functions. ’employs techniques to check for the presence of debuggers using Windows API functions.’
  • [T1083] File and Directory Discovery – Indexes files on the system before exfiltration. ‘Indexes files on the system before exfiltration.’

Indicators of Compromise

  • [Domain] mailservicess[.]com – malware hosting domain used for sample.
  • [URL] hxxps://mailservicess[.]com/res/data/i.exe – download payload URL.
  • [IP] 194.5.212.74 – Linux-based VPS server in Frankfurt, Germany.
  • [SHA256] 369d8855d2531dce55d046735ff9a26ee4441f3f4509aad35f570c0a0b567c5d, e70f64a374e1784942c771940f07f08cdee78144f2135bf1665557d1fcee0f16 – sample hashes for i.exe and index.exe.
  • [File name] i.exe, index.exe – downloaded/executed payloads.

Read more: https://www.cyfirma.com/research/qwerty-information-stealer/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint