According to Trustwave, there’s a new variant of the QRAT downloader being delivered by e-mail with the subject “GOOD LOAN OFFER!!”. This e-mail appears to be like a normal scam, but surprisingly it comes with an interesting attachment, an archive containing a Java Archive (JAR) file called “TRUMP_SEX_SCANDAL_VIDEO.jar”.
This file is labeled as “QNODE DOWNLOADER”, which has the exactly same goal as the Node.Js QRAT downloaders Trustwave previously analyzed. Other similarities found in common with the older variants are as follows:
- the JAR file is obfuscated using Allatori Obfuscator;
- the installer of Node.Js is retrieved from the official website nodejs.org; and,
- this downloader still supports Windows platforms only.
In conclusion, this threat has been significantly enhanced over the past few months since it was first examined. To achieve the same end goal, which is to infect the system with a QNode RAT, the JAR file downloader characteristics and behavior were improved. The attachment payload has improvements over previous versions, but they mentioned that the email campaign itself was not sophisticated, and it will only increase its chances of success if this threat is delivered in a more elaborated way.
