Skype users watch out for the latest malware campaign in which criminals act as US officials offering to help people looking to get visas for the US.
Skype is widely used chatting application that provides video chat and voice call services. Sometimes, crooks use it to run scams but this time, researchers have exposed a sophisticated malware campaign targeting innocent Skype users in which the main aim is to steal their private data. The details of this new scam were revealed in an F-Secure’s blog post by Frederic Vila.
Until now, we have seen Skype being used as a potential platform for distributing adware but for the first time we are witnessing this very popular app for sending out malware.
Researchers reveal that targeted users are travellers, including Swiss nationals, trying to figure out the visa requirements for visiting the United States. The scam campaign heavily makes use of the popular communication and video calling application Skype.
Reportedly, cybercriminals are utilizing the malicious Qarallax RAT or QRAT and Skype is being used as a tool for distributing this malware. These criminals act as US officials offering to help people looking to get visas for the US.
Vila stated that this software is around 6 months old. The team discovered it while it was available for renting on the internet’s underworld marketplace the Dark Web. The asking price for renting out this malicious software for five days was only $22 while there was an option of leasing it for a whole year for just $900.
How does the malware works?
What happens is that when a Skype user searches for finding out more information about application requirements of US visa, various links start popping up apart from the authentic platform to contact UStraveldocs-Switzerland. These other links also appear genuine but in reality, these are merely distributors of malware because users can confuse them as ustraveldocs-Switzerland and the ‘i’ present in the middle leads to the fake Skype account. The malicious code containing file is actually a Java application, which runs on operating systems through the Java Runtime Environment.
When the malware gets downloaded on the targeted computer, it can easily store keystrokes, clicks and mouse movements along with taking control of the webcam.
In fact, researchers at F-Secure also identified a copy of another open source malware application called LaZagne to be stored on the same server on which QRAT was stored. This means the scammers had plans of bundling these two malware together to be able to steal passwords by compromising the Wi-Fi network used by the victim, chat apps, email programs and/or browsers.
The origin of this latest campaign is debated as of now but Vila has hinted about its possible perpetrators in his blog. Vila wrote:
“It is Arabic in origin with the strings ‘Allah’ and ‘hemze’ found obfuscated within the body. The IP address 95.211.141[.]215 is located in Netherlands but the domain QARALLAX[.]COM has WHOIS history linking it to Turkey.”
The company has so far found 21 Skype accounts that start with ustraveldocs, which indicates that cybercriminals are trying pretty hard to lure unsuspecting travellers from these countries. However, Vila did not confirm this piece of information in his blog.