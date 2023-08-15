A new remote access Trojan (RAT) called QwixxRAT is being sold by a threat actor on Telegram and Discord platforms. The malware, once installed on a victim’s Windows platform, stealthily collects sensitive data, which is then sent to the attacker’s Telegram bot. This provides the attacker with unauthorized access to the victim’s information.

QwixxRAT, discovered by cybersecurity company Uptycs, is designed to harvest various types of data including web browser histories, bookmarks, cookies, credit card information, keystrokes, screenshots, files with specific extensions, and data from apps like Steam and Telegram.

The RAT is available for purchase at 150 rubles for weekly access and 500 rubles for a lifetime license. There is also a limited free version of the tool.

QwixxRAT is built using C# and includes anti-analysis features to avoid detection. These features include a sleep function to introduce a delay in the execution process and checks to determine if the RAT is operating within a sandbox or virtual environment. It can also monitor for specific processes and halt its activity if certain processes are detected.

In addition, QwixxRAT contains a clipper that accesses sensitive information copied to the device’s clipboard in order to conduct illicit fund transfers from cryptocurrency wallets. Command-and-control is facilitated through a Telegram bot, which allows the attacker to send commands to collect additional data, such as audio and webcam recordings, and even remotely shut down or restart the infected host.

The discovery of QwixxRAT follows the disclosure of two other RAT strains, RevolutionRAT and Venom Control RAT. These RATs have similar features and are also advertised on various Telegram channels.

For more exclusive content, follow us on Twitter and LinkedIn.