Security News > 2021 > January > Hackers Using Fake Trump's Scandal Video to Spread QNode Malware
Cybesecurity researchers today revealed a new malspam campaign that distributes a remote access Trojan by purporting to contain a sex scandal video of U.S. President Donald Trump.
The emails, which carry with the subject line "GOOD LOAN OFFER!!," come attached with a Java archive file called "TRUMP SEX SCANDAL VIDEO.jar," which, when downloaded, installs Qua or Quaverse RAT onto the infiltrated system.
The infection chain starts with a spam message containing an embedded attachment or a link pointing to a malicious zip file, either of which retrieves a JAR file that's scrambled using the Allatori Java obfuscator.
This first stage downloader sets up the Node.Js platform onto the system and then downloads and executes a second-stage downloader called "Wizard.js" that's responsible for achieving persistence and fetching and running the Qnode RAT from an attacker-controlled server.
The malicious code of the JAR downloader is split-up into different randomly-numbered buffers in an attempt to evade detection.
Other changes include an overall increase in the JAR file size and the elimination of the second-stage downloader in favor of an updated malware chain that immediately fetches the QRAT payload now called "Boot.js."
News URL
Related news
- North Korean Hackers Target Freelance Developers in Job Scam to Deploy Malware (source)
- Chinese hackers use custom malware to spy on US telecom networks (source)
- New Linux Malware ‘Auto-Color’ Grants Hackers Full Remote Access to Compromised Systems (source)
- Chinese FamousSparrow hackers deploy upgraded malware in attacks (source)
- North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)