A malware from an unknown person via Skype, posing as a US government official guiding applications through the said process is being received by the people who have applied for a US visa in Switzerland, according to Softpedia reporters. A file named “US Travel Docs Information.jar” is what is received by the user’s from this unknown person from Skype. However the Skype account contained a spelling mistake (ustravelidocs-switzerland, notice the extra “i”), and that made them realize it was not the official account.
Researchers from F-Secure investigated the case and analyzed the malicious Java file which was received by the users and have found it to be infected with never-before-seen malware, an RAT (Remote Access Trojan) that granted attackers access to the user’s computer. After analyzing at the RAT’s internal functions, they found a rebranded versions of the LaZagne password dumping application, but also some unique features. Which included the ability to capture mouse cursor movements, mouse clicks, keystrokes, take webcam snapshots or record webcam videos.
We found multiple such accounts, with misspelled names, targeting visa applicants in several other countries as well, according to F-Secure researchers.
Researchers named the malware Qarallax RAT because it was connecting to a C&C (command and control) server with an IP that resolved to the qarallax.com domain. The organization that registered the domain was named QUAverse, which led researchers to believe that this malware is somehow related to the Quaverse RAT discovered in May 2015. Below is the user interface of Qarallax RAT :
The Qarallax RAT was also available for sale online just like the Quaverse RAT. Qarallax’s price ranges from $22 to $900, depending on how long the buyer wants this service.