Security News > 2021 > January > Hackers Using Fake Trump's Scandal Video to Spread QNode Malware

Cybesecurity researchers today revealed a new malspam campaign that distributes a remote access Trojan by purporting to contain a sex scandal video of U.S. President Donald Trump.

The emails, which carry with the subject line "GOOD LOAN OFFER!!," come attached with a Java archive file called "TRUMP SEX SCANDAL VIDEO.jar," which, when downloaded, installs Qua or Quaverse RAT onto the infiltrated system.

The infection chain starts with a spam message containing an embedded attachment or a link pointing to a malicious zip file, either of which retrieves a JAR file that's scrambled using the Allatori Java obfuscator.

This first stage downloader sets up the Node.Js platform onto the system and then downloads and executes a second-stage downloader called "Wizard.js" that's responsible for achieving persistence and fetching and running the Qnode RAT from an attacker-controlled server.

The malicious code of the JAR downloader is split-up into different randomly-numbered buffers in an attempt to evade detection.

Other changes include an overall increase in the JAR file size and the elimination of the second-stage downloader in favor of an updated malware chain that immediately fetches the QRAT payload now called "Boot.js."

News URL

http://feedproxy.google.com/~r/TheHackersNews/~3/GsyEkjDf4OI/hackers-using-fake-trumps-scandal-video.html