The Emergence of QWERTY Info Stealer
A new malware strain known as "QWERTY Info Stealer" has emerged, posing a significant threat to Windows systems. This malicious software is designed with advanced anti-debugging techniques and capabilities to extract sensitive data, making it a formidable adversary for individuals and organizations.
QWERTY Info Stealer is hosted on the domain mailservicess[.]com, a Linux-based server located in Frankfurt, Germany. This server operates on Ubuntu Linux 20.04 with minimal services exposed, notably an SSH service on port 6579.
Anti-Debugging Techniques
The malware utilizes sophisticated anti-debugging strategies to avoid detection by security professionals. Upon execution, QWERTY Info Stealer checks for debugging tools using Windows API functions like IsProcessorFeaturePresent() and IsDebuggerPresent(). It also uses the obscure __CheckForDebuggerJustMyCode function, an uncommon technique in usual applications, to terminate itself if a debugging environment is detected.
Example: If a security analyst tries to study the malware's behavior using a debugger, the malware can detect this and stop running, making it difficult to analyze.
Data Collection and Exfiltration
Once QWERTY Info Stealer passes the anti-debugging checks, it begins its data collection process. It creates directories on the infected system, such as C:\Users\AppData\Roaming\TestLog\, to store data it gathers, including system information like the computer name and user details via API calls such as GetComputerNameA() and GetUserNameA().
The malware targets and collects data from Internet Explorer, accessing browser files, history, and cookies. It then copies itself as "Systems.exe" into a directory and connects to its command and control (C2) servers to download additional harmful software.
Interaction with Command and Control Servers
QWERTY Info Stealer communicates with C2 servers to further its malicious activities. It downloads additional executables, which are executed to index system files and upload them to the C2 server using HTTP POST requests. The malware uses a unique keyword 'qwerty' in its HTTP communications, making its presence identifiable.
Implications and Security Measures
The advanced anti-debugging and data exfiltration capabilities of QWERTY Info Stealer underline the importance of robust cybersecurity measures. Organizations need to adopt vigilant security practices and sophisticated detection strategies to mitigate the risks posed by such threats.
Cybersecurity professionals should stay informed about the evolving tactics of cybercriminals and implement comprehensive security frameworks to protect critical assets and maintain system integrity. Understanding the technical details of threats like QWERTY Info Stealer allows organizations to better prepare and respond effectively to potential cyber attacks.
