QWERTY Info Stealer Threatens Windows Security

Lilu Anderson
Photo: Finoracle.net

The Emergence of QWERTY Info Stealer

A new malware strain known as "QWERTY Info Stealer" has emerged, posing a significant threat to Windows systems. This malicious software is designed with advanced anti-debugging techniques and capabilities to extract sensitive data, making it a formidable adversary for individuals and organizations.

QWERTY Info Stealer is hosted on the domain mailservicess[.]com, a Linux-based server located in Frankfurt, Germany. This server operates on Ubuntu Linux 20.04 with minimal services exposed, notably an SSH service on port 6579.

Anti-Debugging Techniques

The malware utilizes sophisticated anti-debugging strategies to avoid detection by security professionals. Upon execution, QWERTY Info Stealer checks for debugging tools using Windows API functions like IsProcessorFeaturePresent() and IsDebuggerPresent(). It also uses the obscure __CheckForDebuggerJustMyCode function, an uncommon technique in usual applications, to terminate itself if a debugging environment is detected.

Example: If a security analyst tries to study the malware's behavior using a debugger, the malware can detect this and stop running, making it difficult to analyze.

Data Collection and Exfiltration

Once QWERTY Info Stealer passes the anti-debugging checks, it begins its data collection process. It creates directories on the infected system, such as C:\Users\AppData\Roaming\TestLog\, to store data it gathers, including system information like the computer name and user details via API calls such as GetComputerNameA() and GetUserNameA().

The malware targets and collects data from Internet Explorer, accessing browser files, history, and cookies. It then copies itself as "Systems.exe" into a directory and connects to its command and control (C2) servers to download additional harmful software.

Interaction with Command and Control Servers

QWERTY Info Stealer communicates with C2 servers to further its malicious activities. It downloads additional executables, which are executed to index system files and upload them to the C2 server using HTTP POST requests. The malware uses a unique keyword 'qwerty' in its HTTP communications, making its presence identifiable.

Implications and Security Measures

The advanced anti-debugging and data exfiltration capabilities of QWERTY Info Stealer underline the importance of robust cybersecurity measures. Organizations need to adopt vigilant security practices and sophisticated detection strategies to mitigate the risks posed by such threats.

Cybersecurity professionals should stay informed about the evolving tactics of cybercriminals and implement comprehensive security frameworks to protect critical assets and maintain system integrity. Understanding the technical details of threats like QWERTY Info Stealer allows organizations to better prepare and respond effectively to potential cyber attacks.

Share This Article
Lilu Anderson is a technology writer and analyst with over 12 years of experience in the tech industry. A graduate of Stanford University with a degree in Computer Science, Lilu specializes in emerging technologies, software development, and cybersecurity. Her work has been published in renowned tech publications such as Wired, TechCrunch, and Ars Technica. Lilu’s articles are known for their detailed research, clear articulation, and insightful analysis, making them valuable to readers seeking reliable and up-to-date information on technology trends. She actively stays abreast of the latest advancements and regularly participates in industry conferences and tech meetups. With a strong reputation for expertise, authoritativeness, and trustworthiness, Lilu Anderson continues to deliver high-quality content that helps readers understand and navigate the fast-paced world of technology.