US-bound travelers looking for a visa might get a RAT instead

F-Secure researchers have discovered that travelers who applied for a US Visa in Switzerland have recently been targeted by cyber-criminals wielding the latest version of the Qarallax RAT (QRAT).

The criminals impersonated the US Visa Service Desk on Skype. The service’s legitimate Skype account is ustraveldocs-Switzerland, while the crooks registered the ustravelidocs- Switzerland account (notice the extra “i” and space after the dash).

Further research revealed a host of similar fake accounts, targeting US-bound travelers from a number of other countries:

Users who have made the mistake of contacting one of these fake accounts are served with what they believed to be additional US Visa information, but is actually a JAVA application that will run silently in the background and capture mouse movements and click, keyboard presses, and control the webcam and take photos or videos.

The app is downloaded from the QARALLAX[.]COM domain (95.211.141[.]215), where other password-stealing malware is also hosted.

The domain is owned by the Qarallax Team, a group of miscreants that offers malware-as-a-service for a fee.

“The price for the Qarallax RAT ranges from $22 to $900 depending on the duration of contract from 5 days to a year respectively,” F-Secure researcher Frederic Vila noted.

“Upon purchase, users of the Qarallax RAT will get a ‘master’ and a ‘slave’ program. The users are responsible in expanding their network of slaves by tricking their victim into running the application. The file that was received via Skype is a slave program,” he explained.

“The master program connects to the same IP address as the slave program. If the license for the master program is valid, it will then require the user to enter the port number that matches the slave port in order to view the victimized machines.”

It’s practically impossible to say or to guess who might be behind this campaign.