Fake Trump’s scandle video campaign spreading QNode RAT

Hackers are benefitting from the unrest after the US Presidential elections and spreading QNode malware but this time it tricks users into believing that they are about to watch an x-rated video of Donald Trump.

Despite that the US presidential elections are over, cybercriminals do not seem to let go of the hype. Perhaps this is why they have come up with another campaign to deliver a remote access trojan (RAT) disguised as Donald Trump’s sex video.

QNode RAT Downloader

Trustwave security researchers have identified a new malspam campaign. The researchers suspected foul play because the email attachment didn’t match the theme of the email body. Further probe revealed that the attachment is a variant of the Windows-based QRAT downloader.

It is worth noting that QRAT was also used in 2016 against Skype users to steal their credentials after infecting their device with malware.

The emails’ JAR file seems to have the same purpose as previously discovered Node.js QRAT downloaders. Diana Lopera, Trustwave’s senior security researcher, explained about the latest QRAT downloader in a report.

Lopera wrote that the new variant has undergone modifications, the email campaign itself is a bit amateurish.

“While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated. The spamming out of malicious Java Archive (JAR) files, which often lead to RATs such as this, is quite common,” Lopera wrote.

Windows Systems at Risk

The downloader, as noted in its previous versions, still only impacts Windows-based systems. The JAR (Java ARchive) file is obfuscated using the Allatori Obfuscator.

According to Trustwave researchers, the sample they have analyzed is larger than the previous ones. However, the downloader’s malicious code is still divided between multiple data streams while the filename still comprises numbers.

When the victim opens the email’s JAR file attachment, a pop-up appears stating that the file is a remote access software used mainly for “penetration testing.” When the user clicks on the button stating, “Ok, I know what I am doing”, the JAR file initiates its malicious operation on the system.

A Good Loan Offer!!

In this campaign, the email contains the subject line “GOOD LOAN OFFER!!” The subject line is a misleading one as it makes the email appear as an investment scam at first. The attachment in the email, however, contains a JAR file titled “TRUMP_SEX_SCANDAL_VIDEO.jar”.

Possible Motive?

Trustwave researchers believe that cybercriminals want to capitalize on the controversy surrounding the US presidential election. That’s because the filename is unrelated to the email’s subject line.

“We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded Presidential elections since the filename they used on the attachment is unrelated to the email’s theme,” said Diana Lopera.

Avoid downloading and opening attachments in emails from unknown senders if you want to avoid falling victim to QRAT malspam campaign.

You may also like...