New QwixxRAT Trojan Spreads Through Messaging Apps

Written by

A new cybersecurity threat known as QwixxRAT, a Remote Access Trojan (RAT), was discovered by the Uptycs Threat Research team in early August 2023.

According to an advisory published by the team on Monday, QwixxRAT has caught attention due to its unusual distribution method. The threat actor behind it is spreading the malicious tool through popular communication platforms, Telegram and Discord.

Once it gains access to a victim’s Windows-based machine, QwixxRAT discreetly collects sensitive data, sending it to the attacker’s Telegram bot.

“Beyond mere data theft, QwixxRAT wields formidable remote administrative tools, enabling attackers to control victim devices, launch commands and even destabilize systems,” the Uptycs Threat Research explained.

To evade detection, the RAT employs a Telegram bot for command-and-control functionalities. This also allows the attacker to remotely manage the RAT and execute operations without triggering antivirus alarms.

Read more on Telegram bots: Telegram Bot Abuse For Phishing Increased By 800% in 2022

QwixxRAT’s impact is global, as its reach has been observed in evaluations of compromised systems worldwide. 

“Its presence became notably alarming in recent evaluations of compromised systems, hinting at its potential rise. While its origin and primary target zones remain under investigation, the Trojan’s reach seems global, leaving no user truly safe,” reads the Uptycs advisory.

What’s particularly troubling is QwixxRAT’s intricate design, which allows it to collect a wide range of data, from browser histories to credit card details and even includes keylogging capabilities.

From a technical standpoint, the RAT file is a C# compiled binary, functioning as a 32-bit executable file designed for CPU operations.

“The threat actor employed two distinct names for the same Remote Access Trojan (RAT). One alias used was ‘Qwixx Rat,’ while the other was identified as ‘TelegramRAT,’” reads the technical write-up. “The main function consists of a total of 19 individual functions, each serving a unique purpose.”

The team also discovered a configuration function in the RAT, which governs its actions on the target machine. This function encompasses a range of values, including booleans, file extensions and other data types, dictating the RAT’s behavior and adjustments in response to these values.

Experts recommend immediate action to counter this threat. Some of the recommended precautions are to regularly monitor bank and credit card statements for unauthorized transactions, use strong and unique passwords, enable two-factor authentication and stay cautious about unsolicited emails.

What’s hot on Infosecurity Magazine?