Threat Research

Remote Access Trojan: Mitigating Infection Risk of Unwanted Guests

Securonix

QwixxRAT is a new remote access trojan distributed via Telegram and Discord that silently infiltrates Windows devices to steal data and enable remote control. It combines broad data exfiltration, keylogging, screen and clipboard capture, and extensive anti-analysis and persistence techniques, with Uptycs providing a detailed MITRE mapping and defensive guidance. #QwixxRAT #TelegramRAT

Keypoints

  • Discovered by Uptycs Threat Research in early August 2023; distributed through Telegram and Discord.
  • QwixxRAT quietly collects data ranging from browser histories and credit cards to keylogging and other sensitive info, exfiltrating via a Telegram bot for attacker access.
  • It uses Telegram-based command and control to avoid antivirus detection and remotely control infected machines.
  • The malware is a 32-bit C# binary with aliases such as “QwixxRat” and “TelegramRAT,” and it uses mutexes to prevent multiple instances.
  • Persistence and defense-evasion features include hidden files, scheduled tasks, privilege elevation, anti-analysis (Sandboxie/VirtualBox/Debugger), and sleep delays to thwart analysis.
  • AutoStealer capabilities cover desktop screenshots, browser credential theft, cookies, history, bookmarks, FTP/Discord/Telegram data, Steam data, and more, with exfiltration to a Telegram channel.
  • Uptycs XDR provides a YARA-based detection rule for QwixxRAT (Uptycs_QwixxRAT) and notes in-tool detection guidance for customers and third-party users.

MITRE Techniques

  • [T1071.001] Web Protocols – C2 via Telegram bot for command and control. ‘To avoid detection by antivirus software, the RAT employs command and control functionality through a Telegram bot.’
  • [T1041] Exfiltration Over C2 Channel – Data exfiltrated to the attacker’s Telegram bot. ‘the RAT silently collects sensitive data, which is then sent to the attacker’s Telegram bot.’
  • [T1564.001] Hide Artifacts – Concealing the console to remain covert. ‘As this is a CPU program, the threat actor conceals the console to remain covert.’
  • [T1497.003] Virtualization/Sandbox Evasion – Anti-analysis measures include Sandboxie, VirtualBox, and Debugger. ‘The threat actor employed three methods for anti-analysis purposes: Sandboxie, VirtualBox, and Debugger.’
  • [T1548.001] Abuse Elevation for Privileges – Privilege escalation by relaunching with admin rights via runas. ‘The code attempts to elevate the current application’s privileges to run with administrative rights by relaunching itself(Hidden Attribute) with the “runas” verb.’
  • [T1113] Screen Capture – Desktop screenshot capture and exfil via Telegram. ‘The code captures a screenshot of the desktop, saves it as a PNG image(screenshot.png), sends it to a Telegram bot.’
  • [T1115] Clipboard Data – Clipboard interaction to copy/set data. ‘ClipboardSet — This method is used to set the text (string) content on the clipboard.’
  • [T1056.001] Keylogging – Keystroke capture via a keyboard hook. ‘The code implements a keyboard hook callback function responsible for capturing keyboard events and logging them into a file.’
  • [T1082] System Information Discovery – Collecting system info during data gathering. ‘GetSystemVersion, MachineName, UserName, Current date and time’ in Computerinfo sections.
  • [T1057] Process Discovery – Monitoring running processes to detect security tools. ‘processList: Get process details’ and related checks.
  • [T1053.005] Scheduled Task – Persistence via scheduled task for the hidden RAT. ‘A scheduled task is created for the hidden file located at “C:UsersChromerat.exe”.’
  • [T1070.004] File Deletion – Self-destruct mechanism via batch script deleting the parent. ‘the executable file is deleted’ after conditions are met.

Indicators of Compromise

  • [File name] QwixxRAT.exe – QwixxRAT.exe (MD5: 46d6f885d323df5f00218da715239a7b)
  • [URL] Exfil/ C2 endpoints – https[:]//raw.githubusercontent[.]com/tedburke[.]commandCam/master[.]commandCam[.]exe, https[:]//raw.githubusercontent[.]com/LimerBoy/hackpy/master/modules/audio[.]zip, https[:]//api.telegram.org/
  • [URL] Additional payloads – https[:]//raw.githubusercontent[.]com/LimerBoy/ToxicEye/master/TelegramRAT/TelegramRAT/core/libs/AudioSwitcher.AudioApi[.]dll
  • [URL] Geolocation query – https[:]//api[.]mylnikov[.]org/geolocation/wifi?bssid=
  • [URL] Misc host used for tests – google[.]com

Read more: https://www.uptycs.com/blog/remote-access-trojan-qwixx-telegram