QwixxRAT Malware Spread Through Messaging Platforms

A recently introduced remote access trojan (RAT) named QwixxRAT is being promoted for purchase by its threat actor through both Telegram and Discord platforms.

Once implanted on Windows computers owned by victims, the RAT discreetly gathers sensitive information. This data is then transmitted to the attacker's Telegram bot, enabling them to gain unauthorized entry to the victim's confidential data, as outlined in a recent report by Uptycs.

Uptycs, a cybersecurity firm that identified the malware earlier this month, stated that QwixxRAT is intricately designed to extract various types of data. This includes web browser histories, bookmarks, cookies, credit card details, keystrokes, screenshots, specific file types, and information from applications like Steam and Telegram.

The RAT is available for purchase at 150 rubles for a weekly access subscription or 500 rubles for a lifetime license. There is also a limited free version of the tool.

Characteristics of QwixxRAT

Developed using the C# programming language, QwixxRAT incorporates several anti-analysis mechanisms to maintain its covert nature and evade detection. These tactics include a sleep function to introduce delays during execution and checks to ascertain whether it's running in a sandbox or virtualized environment.

Additional capabilities of the RAT enable it to monitor a predefined list of processes (such as "taskmgr," "processhacker," "netstat," "netmon," "tcpview," and "wireshark"). If any of these processes are detected, the RAT suspends its operations until the process is terminated. QwixxRAT also contains a clipper function that surreptitiously accesses sensitive information copied to the device's clipboard, with the intention of facilitating unauthorized transfers from cryptocurrency wallets.

Communication with the command-and-control (C2) center is carried out through a Telegram bot. This mechanism allows for the transmission of commands to execute additional data collection activities, including audio and webcam recordings, and even the remote shutdown or restart of the infected host.

The revelation of QwixxRAT comes shortly after Cyberint disclosed information about two other RAT variants named RevolutionRAT and Venom Control RAT. These RATs are also advertised on various Telegram channels and possess features for data exfiltration and command-and-control connections.

This revelation follows the identification of an ongoing cyber campaign that employs compromised websites to distribute a fake Chrome browser update. This update serves as a lure to entice victims into installing a remote administration tool known as NetSupport Manager RAT. This is achieved through the use of malicious JavaScript code. While the use of a deceptive browser update tactic is reminiscent of SocGholish (also known as FakeUpdates), conclusive evidence linking these two activities remains elusive.