HomesecurityQNode RAT distributes fake video of sex scandal with Trump

QNode RAT distributes fake video of sex scandal with Trump

Security researchers Trustwave discovered a malspam campaign distributing it trojan QNode remote access (RAT), using as a "bait" a fake sex scandal video with Trump.

According to Security Affairs, the spam emails use the theme "GOOD LOAN OFFER !!", while attaching a Java Archive (JAR) file named “TRUMP_SEX_SCANDAL_VIDEO.jar”. When executing the attachment, the malicious code tries to install Qnode RAT on the recipient's machine.

spam campaign

The researchers said in a statement: "While controlling spam traps, a particular campaign caught our eye, mainly because the name of the email attachment does not match the theme on its body. "We suspect that malicious agents are trying to continue the frenzy caused by the recent presidential election, with the name of the file they used in the attachment having nothing to do with the subject of the email."

The download distributed in this malspam campaign, which uses the fake sex scandal video with Trump as "bait", seems to be a variation of the QRAT program, discovered by Trustwave researchers last August. In addition, the researchers highlighted some of its similarities with older variants, such as hiding the JAR file with Allatori Obfuscator, operating system-only support. Windows and the fact that the Node.Js installer has been recovered from the official site

The QRAT variant continues to have multi-stage download programs. The first download program is the JAR file used as a spam attachment emails. As detailed in the August report published by Trustwave, the first user has two important tasks - first he installs the Node.Js platform on the system and then he downloads and runs the second stage download program. The second stage download program called Wizard.js executes Qnode RAT from a command-and-control (C2) server, trying to achieve persistence in the infected system.

QNode RAT distributes fake video of sex scandal with Trump

The new variant used in this campaign has the following features:

  • The JAR sample is significantly larger than that used in previous campaigns
  • The hackers behind this campaign added a GUI and a supposed license Microsoft ISC in the JAR code
  • This variant does not use the "qnodejs" string to avoid detection, and the downloader code is split into different buffers within the JAR
  • When downloading the next stage malware, only the argument is required “–Hub-domain” when communicating with command-and-control servers
  • The JAR file downloads a file with the name Boot.js and saves it to % temp% \ _ qhub_node_ {random}

In addition, QRAT supports many RAT features, such as retrieving system information, performing file operations, and obtaining credentials applications. Finally, this variant supports many applications, including Chrome, Firefox, Thunderbird and Outlook.

Every accomplishment starts with the decision to try.