A newly identified malware strain, “QWERTY Info Stealer,” is posing a significant threat to Windows systems by leveraging advanced anti-debugging techniques and robust data exfiltration methods. The malware was discovered on a publicly accessible Linux-based server with the domain mailservicess[.]com, which is hosted on an Ubuntu Linux 20.04 server in Frankfurt, Germany. The malware is delivered via a download from the URL hxxps://mailservicess[.]com/res/data/i.exe, and it employs a range of sophisticated anti-debugging techniques to evade detection by security researchers.
QWERTY Info Stealer uses several strategies to avoid analysis, including checks for debuggers through common Windows API functions such as IsProcessorFeaturePresent() and IsDebuggerPresent(), as well as less commonly used functions like __CheckForDebuggerJustMyCode. These techniques allow the malware to detect if it is being analyzed and to terminate itself if a debugging environment is found, making it challenging for analysts to study its behavior.
Once installed, QWERTY Info Stealer begins collecting data from the infected system by creating directories to store collected information, such as C:\Users\AppData\Roaming\TestLog\ and C:\Users\user\AppData\Roaming\Intel. It gathers system telemetry and sensitive browser data, including history and cookies from Internet Explorer. The malware then connects to its Command and Control (C2) servers to download additional payloads and exfiltrate the collected data, with its HTTP requests containing the distinctive keyword ‘qwerty.’
The sophisticated nature of QWERTY Info Stealer underscores the evolving tactics of cybercriminals and the need for robust cybersecurity defenses. Its use of anti-debugging techniques and extensive data collection capabilities highlights the importance of advanced detection methods to safeguard systems and data. Organizations must stay vigilant and continuously update their security measures to protect against such advanced threats and mitigate the risks posed by malware like QWERTY Info Stealer.
Reference:
