The video of Trump’s “sex scandal” hides the QRAT of the Trojan

Trustwave researchers have discovered a new spam campaign that distributes the Trojan program for remote access (RAT), and uses a video of the sex scandal of US President Donald Trump as bait.

The e-mails, titled “GOOD CREDIT OFFER !!”, contain a JAR file called “TRUMP_SEX_SCANDAL_VIDEO.jar”, which installs Qua or Quaverse RAT (QRAT) on the system when downloaded.

Unusually, the name of the malicious file has nothing to do with the title of the e-mail in which the file is located. When the researchers opened the e-mail captured by their spam filters, they expected that it was the so-called investment fraud, so they were surprised that a malicious JAR file was attached. They say cybercriminals are probably trying to take advantage of “the madness caused by the recent presidential election.”

The investigation revealed that the JAR file is a variant of the QRAT downloader that researchers drew public attention to in August this year. The similarities between the new and old versions of the malware are that both use Allatori Obfuscator to cover up the JAR file and the Node.Js installer, which is downloaded from the official website nodejs.org.

As with older versions of malware, the new one only supports Windows platforms.

The chain of infection that Trustwave warned about a few months ago began with an email containing a file or a link pointing to a malicious zip file. Both download the JAR file.

The first phase downloader installs the Node.Js platform on the system, then downloads and runs the second phase downloader called “wizard.js” which is responsible for downloading and running Qnode RAT (“qnode-win32-ia32.js”) from the server it controls attacker.

QRAT is a typical remote access Trojan with a number of features, including collecting system information and passwords from applications such as Google Chrome, Firefox, Thunderbird, and Microsoft Outlook.

What has now changed is the inclusion of a new pop-up alert notifying the victim that the JAR that is running is remote access software used for penetration tests. It also means that the malicious behavior of the Trojan only begins to manifest when the user clicks “Ok, I know what I’m doing.”

“This pop-up is a little weird, and it may be an attempt to make the application look legitimate or take responsibility away from the original authors of the software,” the researchers say.

Researchers say the Trojan has improved significantly in the last few months since it was first analyzed. However, although there are some improvements over previous versions, the campaign itself is quite amateurish, the researchers say. They believe that the chances of this threat being successfully delivered would be much higher if the e-mails were more sophisticated.

Trustwave researchers have discovered a new spam campaign that distributes the Trojan program for remote access (RAT), and uses a video of the sex scandal of US President Donald Trump as bait.

The e-mails, titled “GOOD CREDIT OFFER !!”, contain a JAR file called “TRUMP_SEX_SCANDAL_VIDEO.jar”, which installs Qua or Quaverse RAT (QRAT) on the system when downloaded.

Unusually, the name of the malicious file has nothing to do with the title of the e-mail in which the file is located. When the researchers opened the e-mail captured by their spam filters, they expected that it was the so-called investment fraud, so they were surprised that a malicious JAR file was attached. They say that cybercriminals are probably trying to take advantage of “the madness caused by the recently concluded presidential elections”, because the name of the file they used in the attachment is not related to the title of the e-mail “.

The investigation revealed that the JAR file is a variant of the QRAT downloader that researchers drew public attention to in August this year. The similarities between the new and old versions of the malware are that both use Allatori Obfuscator to cover up the JAR file and the Node.Js installer which is downloaded from the official website nodejs.org.

As with older versions of malware, the new one only supports Windows platforms.

The chain of infection that Trustwave warned about a few months ago began with an email containing a file or a link pointing to a malicious zip file. Both download the JAR file.

The first phase downloader installs the Node.Js platform on the system, then downloads and runs the second phase downloader called “wizard.js” which is responsible for downloading and running Qnode RAT (“qnode-win32-ia32.js”) from the server it controls attacker.

QRAT is a typical remote access Trojan with a number of features, including collecting system information and passwords from applications such as Google Chrome, Firefox, Thunderbird, and Microsoft Outlook.

What has now changed is the inclusion of a new pop-up alert notifying the victim that the JAR that is running is remote access software used for penetration tests. It also means that the malicious behavior of the Trojan only begins to manifest when the user clicks “Ok, I know what I’m doing.”

“This pop-up is a little strange, and it may be an attempt to make the application look legitimate or to take responsibility from the original authors of the software,” say the researchers.

Researchers say the Trojan has improved significantly in the last few months since it was first analyzed. However, although there are some improvements over previous versions, the campaign itself is quite amateurish, the researchers say. They believe that the chance that this threat will be successfully delivered would be much higher if the e-mails were more sophisticated.



Source: Informacija.rs by www.informacija.rs.

*The article has been translated based on the content of Informacija.rs by www.informacija.rs. If there is any problem regarding the content, copyright, please leave a report below the article. We will try to process as quickly as possible to protect the rights of the author. Thank you very much!

*We just want readers to access information more quickly and easily with other multilingual content, instead of information only available in a certain language.

*We always respect the copyright of the content of the author and always include the original link of the source article.If the author disagrees, just leave the report below the article, the article will be edited or deleted at the request of the author. Thanks very much! Best regards!