CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

A Trump Sex Video? No, It's a RAT!

While reviewing our spam traps, a particular campaign piqued our interest primarily because the attachment to the email does not coincide with the theme of the email body. When we investigated further, we discovered that its attachment is a variant of the QRAT downloader we blogged about last August.

The Mailspam

The email, with the Subject “GOOD LOAN OFFER!!”, at first glance, looks like a usual investment scam. No obfuscation in the email headers or body is found. Interestingly, attached to the email is an archive containing a Java Archive (JAR) file called “TRUMP_SEX_SCANDAL_VIDEO.jar”. We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded Presidential elections since the filename they used on the attachment is totally unrelated to the email’s theme.

The malspam
Figure 1: The malspam

 

The Qrat Downloader Variant

The JAR file “TRUMP_SEX_SCANDAL_VIDEO.jar”, dubbed as “QNODE DOWNLOADER”, has the same purpose as the Node.Js QRAT downloaders we previously analyzed – to install into the infiltrated system the Qnode RAT. Other similarities with the older variants are as follows:

  • the JAR file is obfuscated using Allatori Obfuscator;
  • the installer of Node.Js is retrieved from the official website nodejs.org; and,
  • this downloader still supports Windows platforms only.
The QNODE DOWNLOADER
Figure 2: The QNODE DOWNLOADER

 

We decided to examine the notable new features and changes of this variant, and the rest of the blog will tackle these variations. We recommend you read our earlier blog in conjunction with this one.

First, this JAR sample is significantly larger than the older samples we examined. Aside from the classes the same file name and length but with different cases, this JAR file also has data streams with just numbers in the filename. The malicious code of this downloader is split up among these numbered files, along with some junk data that were added to them.

The JAR attachment classes viewed using the tools Java Decompiler and Hiew
Figure 3: The JAR attachment classes viewed using the tools Java Decompiler and Hiew

 

Second, a GUI and a supposed Microsoft ISC License are added into the JAR’s code. Upon the execution of the file “TRUMP_SEX_SCANDAL_VIDEO.jar”, a copy of it is created and then executed from the %temp% folder. Then, a GUI informing the victim that the malicious JAR file is a remote access software used for penetration testing is launched. The malicious behaviors of this sample start to manifest once the button “Ok, I know what I am doing.” is clicked. This pop-up is a little odd and is perhaps an attempt to make the application look legitimate, or deflect responsibility from the original software authors.

The pop-up User Interface and its code snippet
Figure 4: The pop-up User Interface and its code snippet
 
The ISC License named owner is Microsoft
Figure 5: The ISC License named owner is Microsoft

 

Third, the string “qnodejs“ which previously identified the files associated with this threat, is not in this variant. The folder name and the file names within this JAR file no longer contains this string. The Node.Js installation folder is still at %userprofile%, however, the folder is not prepended with “qnodejs-“ anymore. Also, in contrast to our first blog, this JAR saves its downloaded files at a QHub folder %temp%\_qhub_node_{random string} instead of at a folder named “qnodejs“ under the path of the installed Node.Js.

The code comparison of the installation of Node.Js platform from the first blogFigure 6: The code comparison of the installation of Node.Js platform from the first blog

 

Fourth, when downloading next stage malware, only the argument “--hub-domain” is required when communicating to the command-and-control servers (C&Cs). After setting up the Node.Js platform, a Node.Js process is created to download the next malware in the infection chain. The argument “--hub-domain” along with the C&Cs is the only data supplied to the process. The information about the QHub service subscription user we observed in the earlier variant is no longer contained in the JAR file.

The initial Node.Js process when contacting the C&Cs
Figure 7: The Node.Js process when initially contacting the C&Cs

 

Lastly, the JAR file downloads a file named “boot.js” and saves it at %temp%\_qhub_node_{random}. Unfortunately, we were not able to replicate this part of the infection chain.

The code snippet of the installation of second-stage malware
Figure 8: The code snippet of the installation of second-stage malware

 

To get an idea of what the downloaded file “boot.js” might be, we looked in VirusTotal for a similar file with the same filename, tagged as text, and file size at least 10MB, and we were able to find this sample. It appears that with this variant, the malware chain has been shortened. The second-stage downloader has been removed and that the jar file immediately downloads the payload “boot.js”, which is the Node.Js QRAT.

The boot.js sample from VirusTotal
Figure 9: The boot.js sample from VirusTotal

 

We checked the file “boot.js” for the characteristics and activities it will perform which are similar to the payload ‘qnodejs-win32-ia32.js SHA1: 31F541074C73D02218584DF6C8292B80E6C1FF7D’ from our first blog and below are our findings:

  • Code is encrypted with base64
  • Modules are obfuscated
  • Obtains network information from the service hxxps://wtfismyip[.]com
  • Password-recovery functionality supports the same applications Chrome, Firefox, Thunderbird, and Outlook

With regards to the persistence, which was the task of the second stage downloader “wizard.js” in previous samples, the payload “boot.js” now accomplishes this. A VBS script %userprofile%\qhub\node\2.0.10\boot.vbs which launches the payload is created and then set to run at the typical registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

The commands that this variant of QRAT supports are simpler than previous versions, as shown below.

The code snippet of the commands this version of QRAT accepts
Figure 10: The code snippet of the commands this version of QRAT accepts

 

Summary

This threat has been significantly enhanced over the past few months since we first examined it. To achieve the same end goal, which is to infect the system with a QNode RAT, the JAR file downloader characteristics and behavior were improved.

  • To increase the chances of this threat being executed by the email recipient, the attachment name was based on a prominent figure, and a GUI indicating that the malicious JAR is a tool used in penetration testing.
  • To evade detection, the malicious code of the downloader was split-up into different buffers inside the JAR. Also, the string “qnodejs” which can distinguish the files related to this threat was not used anymore.
  • To challenge the existing remediations of this threat, the names of the other files it created and downloaded were changed and they are put into different locations, not inside the Node.Js installation folder.
  • To deliver the final payload into the system, the infection chain was modified – the JAR directly downloads the payload.

While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated. The spamming out of malicious JAR files, which often lead to RATs such as this, is quite common. Email administrators should be looking to take a hard line against inbound JARs and block them in their email security gateways.

IOCs

Files:
TRUMP_SEX_SCANDAL_VIDEO.jar (61762 bytes) SHA1: B12542229561341F028D09D3B864F9732B431891
boot.js (13293765 bytes) SHA1: 7bf154c9ddf3a71abf15906cdb60773e8ae07b62

URLs:
gatherlozx[.]hopto[.]org

 

Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More

CNAPP, CSPM, CIEM, CWPP – Oh My!

We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More