A newly discovered remote access trojan (RAT), named QwixxRAT, is being openly marketed by its threat actor through popular platforms Telegram and Discord. This RAT, once implanted on Windows systems, silently gathers sensitive data, which is then funneled to the attacker’s Telegram bot, providing unauthorized access to victim information.
Uptycs, a cybersecurity company, revealed this intricate malware designed to meticulously extract various forms of data, including web history, bookmarks, cookies, credit card details, keystrokes, screenshots, and files with specific extensions. The trojan is available in both paid versions, priced at 150 rubles for weekly access and 500 rubles for a lifetime license, as well as a limited free version.
QwixxRAT operates on a C#-based binary and employs a range of anti-analysis mechanisms to ensure covert behavior and evade detection. These measures encompass a sleep function that introduces delays in execution, along with checks to identify if the malware is running within a sandbox or virtual environment. The RAT also monitors specific processes and temporarily ceases activity if it detects processes associated with analysis tools.
Notably, QwixxRAT includes a clipper function designed to discreetly access sensitive information copied to the clipboard, enabling illicit transfers from cryptocurrency wallets. The malware’s command-and-control operations are orchestrated through a Telegram bot, enabling the attacker to execute various commands, such as data collection, audio and webcam recordings, and remote shutdown or restart of infected systems. This discovery follows recent disclosures of other RAT strains, RevolutionRAT and Venom Control RAT, demonstrating the growing trend of cyber threats propagating through platforms like Telegram.
