QWERTY (Infostealer) – Malware

Overview

The QWERTY Info Stealer is a sophisticated piece of malware that has recently gained attention for its advanced capabilities in data exfiltration and evasion techniques. Identified through its association with the domain mailservicess[.]com, the malware is hosted on a Linux-based Virtual Private Server (VPS) in Frankfurt, Germany. It demonstrates a high level of sophistication, employing multiple anti-debugging methods to hinder reverse engineering and analysis. Designed to steal sensitive information from infected systems, QWERTY Info Stealer targets users by executing a variety of data-gathering functions, from system information collection to the extraction of sensitive files, making it a severe threat to both individuals and organizations.

Targets

Individuals

How they operate

Upon execution, the QWERTY Info Stealer malware begins by performing checks for debugger presence on the target machine, employing multiple anti-debugging methods. The first check utilizes the IsProcessorFeaturePresent() function from the Windows API, which determines whether the system supports the fastfail processor feature. If the feature is not present, the malware terminates itself, as this behavior suggests the system might be running in a sandbox or virtualized environment. Following this, it uses the IsDebuggerPresent() API to further confirm whether a debugger is attached to the running process. These anti-debugging measures are designed to hinder analysis by security researchers and sandbox environments, allowing the malware to operate undetected for longer periods.

Once the malware ensures it is running in an environment free from analysis tools, it begins its data collection phase. The QWERTY Info Stealer collects a range of system information, including computer name, user details, and network adapter configurations. It does this by calling various Windows APIs, such as GetComputerNameA(), GetAdaptersInfo(), and GetUserNameA(). The retrieved data is stored in specific directories created by the malware, typically in the AppData folder, which is a common location for malware to hide its files. This behavior is typical for information-stealing malware, as it enables the attacker to gather critical details about the infected machine, which could be used for further exploitation.

As the malware progresses, it indexes all files on the compromised system. This includes scanning directories for sensitive documents, credentials, and other data of interest. The malware specifically targets files that are likely to contain valuable information. Once the files are indexed, QWERTY Info Stealer prepares them for exfiltration by packaging them into a format that can be easily sent to the C2 server. This step is crucial, as it allows the attacker to collect a wide array of information without having to rely on specific targets or predefined file types.

The exfiltration process is one of the most critical aspects of QWERTY Info Stealer’s operation. Once the data is collected, it is sent to the C2 server using HTTP POST requests. The malware uses a unique keyword, “qwerty,” in the HTTP calls to distinguish its exfiltrated data from other types of network traffic. This exfiltration is accomplished over the HTTP protocol, making it less likely to be detected by traditional network defenses, which often focus on suspicious activity related to protocols like FTP or SMTP. The use of HTTP POST also enables the malware to blend in with regular web traffic, further reducing the chances of detection.

Additionally, QWERTY Info Stealer downloads additional payloads during its execution. These payloads, named in.exe and up.exe, are designed to expand the malware’s capabilities, potentially allowing it to escalate privileges, collect more information, or execute other malicious activities. These payloads are downloaded from the same compromised domain and are executed to further entrench the malware’s presence on the infected system. This technique of downloading and executing secondary payloads is common among sophisticated malware, as it enables attackers to add new functionalities to their toolkit without needing to modify the original malware directly.

The malware also ensures its persistence by creating directories on the infected system that are used to store telemetry data. This data, which includes detailed system information, network configuration, and user data, is continuously collected and written into text files. This collection mechanism ensures that the malware remains effective over time, as it continuously updates the exfiltrated data that can be sent back to the attackers. By maintaining a constant stream of collected data, QWERTY Info Stealer remains an ongoing threat to affected systems.

MITRE Tactics and Techniques

Initial Access (T1071 – Application Layer Protocol):

The QWERTY Info Stealer is delivered via a malicious executable hosted on a remote server (mailservicess[.]com). This initial infection vector involves using HTTP or other application layer protocols to deliver the payload, which establishes the initial foothold on the victim’s machine.

Execution (T1203 – Exploitation for Client Execution):

Once the malware is delivered to the target system, it executes via a Windows executable file (i.exe). The malware leverages common execution techniques, such as launching automatically once downloaded, often exploiting users’ trust in seemingly legitimate files.

Persistence (T1547 – Boot or Logon Autostart Execution):

The malware creates directories to store collected data and to ensure that it has a persistent presence on the system. It can use techniques like auto-starting with system boot or creating scheduled tasks that allow it to remain active even after the system is rebooted.

Privilege Escalation (T1543 – Create or Modify System Process):

By collecting system information (such as usernames and operating system version), the malware may attempt to escalate its privileges by interacting with system settings or gaining higher-level access to sensitive data, although the specific elevation methods are not fully detailed in the provided analysis.

Defense Evasion (T1071 – Application Layer Protocol, T1086 – PowerShell):

The malware employs anti-debugging techniques (T1071) to detect if it is running within a virtualized or sandbox environment. It uses Windows API calls such as IsProcessorFeaturePresent() and IsDebuggerPresent() to evade detection. These techniques allow it to avoid security analysis and continue its operation undetected. This aligns with the T1086 tactic related to PowerShell or scripting techniques, which are often used to bypass security measures.

Credential Dumping (T1003 – Credential Dumping):

The malware collects system data and user credentials by querying specific Windows API functions such as GetUserNameA and GetAdaptersInfo(). This allows it to gather usernames, system information, and network configuration, which could potentially be used for further attacks.

Discovery (T1083 – File and Directory Discovery):

QWERTY Info Stealer indexes all files on the compromised system, scanning the file system for sensitive data and potential exfiltration targets. This behavior corresponds to T1083, which involves discovering files and directories that could contain valuable information for the attacker.

Collection (T1119 – Automated Collection):

The malware creates a text file and logs system and telemetry information it has collected during its operation. It stores this information in specific directories, preparing it for future exfiltration.

Exfiltration (T1041 – Exfiltration Over Command and Control Channel):

QWERTY Info Stealer exfiltrates the stolen data to a Command and Control (C2) server over an HTTP POST request. The exfiltration process is encrypted and utilizes a unique keyword (“qwerty”) to identify the traffic, which is consistent with the T1041 tactic focused on data exfiltration via C2 channels.

Impact (T1486 – Data Encrypted for Impact):

Although the malware primarily focuses on data exfiltration rather than encryption, its activities can still be seen as part of the broader Impact tactic due to the potential risk posed by the stolen data being misused for further criminal activities.

References:

• QWERTY INFORMATION STEALER