A new malware strain known as “QWERTY Info Stealer” has emerged. It targets Windows systems with advanced anti-debugging techniques and data exfiltration capabilities.
This malware is hosted on the domain mailservicess[.]com, represents a significant threat to individuals and organizations.
Our comprehensive analysis illuminates its technical aspects, including its anti-debugging strategies, data collection methods, and interaction with Command and Control (C2) servers.
The Origin of QWERTY Info Stealer
The QWERTY Info Stealer was discovered on a publicly indexed web server with the domain mailservicess[.]com, hosted on a Linux-based virtual private server in Frankfurt, Germany.
The server, identified as running Ubuntu Linux 20.04, had limited services exposed, with only the SSH service running on port 6579.
This malware downloads from the URL hxxps://mailservicess[.]com/res/data/i.exe and uses sophisticated anti-debugging techniques to evade detection.
Anti-Debugging Techniques
According to the Cyfirma report, QWERTY Info Stealer employs multiple anti-debugging strategies to avoid analysis and detection by security researchers.
Upon execution, it checks for the presence of a debugger using Windows API functions, such as IsProcessorFeaturePresent() and IsDebuggerPresent().
Additionally, it utilizes the lesser-known __CheckForDebuggerJustMyCode function, which is not widely documented or commonly used in standard applications.
These techniques are designed to terminate the malware if a debugging environment is detected, making it challenging for analysts to study its behavior.
Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot
Data Collection and Exfiltration
Once the anti-debugging checks are complete, QWERTY Info Stealer begins its data collection process. It creates directories on the infected system to store collected data and telemetry, such as C:UsersAppDataRoamingTestLog and C:UsersuserAppDataRoamingIntel.
The malware gathers system information using various API calls, including GetComputerNameA(), GetAdaptersInfo(), GetVersionExA(), and GetUserNameA().
The malware also targets Internet Explorer data, accessing sensitive web browser files, history, and cookies. It copies itself with the name “Systems.exe” into the directory C:UsersAppDataRoamingMozilla and connects to its C2 URLs to download additional payloads for further execution.
Interaction with Command and Control Servers
QWERTY Info Stealer communicates with its C2 servers to download additional executables, such as in.exe and up.exe, which are saved as “index.exe” and “upload.exe” in the directory C:UsersAppDataRoamingintel.
These executables are then executed to index all files on the system and upload them to the C2 server using HTTP POST requests. The malware uses the keyword ‘qwerty’ in HTTP calls during exfiltration, highlighting its unique signature.
The QWERTY Info Stealer is a sophisticated malware that poses a significant threat to Windows systems. Its advanced anti-debugging techniques and extensive data exfiltration capabilities make it a formidable adversary in the cybersecurity landscape.
The malware’s ability to collect system telemetry and browser data and perform file indexing underscores the importance of continued vigilance and advanced detection strategies to mitigate the risks associated with such threats.
Cybersecurity professionals must stay informed about the latest threats and employ robust security measures to protect systems and data from malicious actors.
The QWERTY Info Stealer is a stark reminder of cybercriminals’ evolving tactics and the need for constant adaptation in the fight against malware.
By understanding the technical intricacies of threats like QWERTY Info Stealer, organizations can better prepare and respond to potential attacks, safeguarding their critical assets and maintaining the integrity of their information systems.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access