While reviewing our spam traps, a particular campaign piqued our interest primarily because the attachment to the email does not coincide with the theme of the email body. When we investigated further, we discovered that its attachment is a variant of the QRAT downloader we blogged about last August.
The email, with the Subject “GOOD LOAN OFFER!!”, at first glance, looks like a usual investment scam. No obfuscation in the email headers or body is found. Interestingly, attached to the email is an archive containing a Java Archive (JAR) file called “TRUMP_SEX_SCANDAL_VIDEO.jar”. We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded Presidential elections since the filename they used on the attachment is totally unrelated to the email’s theme.
The JAR file “TRUMP_SEX_SCANDAL_VIDEO.jar”, dubbed as “QNODE DOWNLOADER”, has the same purpose as the Node.Js QRAT downloaders we previously analyzed – to install into the infiltrated system the Qnode RAT. Other similarities with the older variants are as follows:
We decided to examine the notable new features and changes of this variant, and the rest of the blog will tackle these variations. We recommend you read our earlier blog in conjunction with this one.
First, this JAR sample is significantly larger than the older samples we examined. Aside from the classes the same file name and length but with different cases, this JAR file also has data streams with just numbers in the filename. The malicious code of this downloader is split up among these numbered files, along with some junk data that were added to them.
Second, a GUI and a supposed Microsoft ISC License are added into the JAR’s code. Upon the execution of the file “TRUMP_SEX_SCANDAL_VIDEO.jar”, a copy of it is created and then executed from the %temp% folder. Then, a GUI informing the victim that the malicious JAR file is a remote access software used for penetration testing is launched. The malicious behaviors of this sample start to manifest once the button “Ok, I know what I am doing.” is clicked. This pop-up is a little odd and is perhaps an attempt to make the application look legitimate, or deflect responsibility from the original software authors.
Third, the string “qnodejs“ which previously identified the files associated with this threat, is not in this variant. The folder name and the file names within this JAR file no longer contains this string. The Node.Js installation folder is still at %userprofile%, however, the folder is not prepended with “qnodejs-“ anymore. Also, in contrast to our first blog, this JAR saves its downloaded files at a QHub folder %temp%\_qhub_node_{random string} instead of at a folder named “qnodejs“ under the path of the installed Node.Js.
Fourth, when downloading next stage malware, only the argument “--hub-domain” is required when communicating to the command-and-control servers (C&Cs). After setting up the Node.Js platform, a Node.Js process is created to download the next malware in the infection chain. The argument “--hub-domain” along with the C&Cs is the only data supplied to the process. The information about the QHub service subscription user we observed in the earlier variant is no longer contained in the JAR file.
Lastly, the JAR file downloads a file named “boot.js” and saves it at %temp%\_qhub_node_{random}. Unfortunately, we were not able to replicate this part of the infection chain.
To get an idea of what the downloaded file “boot.js” might be, we looked in VirusTotal for a similar file with the same filename, tagged as text, and file size at least 10MB, and we were able to find this sample. It appears that with this variant, the malware chain has been shortened. The second-stage downloader has been removed and that the jar file immediately downloads the payload “boot.js”, which is the Node.Js QRAT.
We checked the file “boot.js” for the characteristics and activities it will perform which are similar to the payload ‘qnodejs-win32-ia32.js SHA1: 31F541074C73D02218584DF6C8292B80E6C1FF7D’ from our first blog and below are our findings:
With regards to the persistence, which was the task of the second stage downloader “wizard.js” in previous samples, the payload “boot.js” now accomplishes this. A VBS script %userprofile%\qhub\node\2.0.10\boot.vbs which launches the payload is created and then set to run at the typical registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
The commands that this variant of QRAT supports are simpler than previous versions, as shown below.
This threat has been significantly enhanced over the past few months since we first examined it. To achieve the same end goal, which is to infect the system with a QNode RAT, the JAR file downloader characteristics and behavior were improved.
While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated. The spamming out of malicious JAR files, which often lead to RATs such as this, is quite common. Email administrators should be looking to take a hard line against inbound JARs and block them in their email security gateways.
Files:
TRUMP_SEX_SCANDAL_VIDEO.jar (61762 bytes) SHA1: B12542229561341F028D09D3B864F9732B431891
boot.js (13293765 bytes) SHA1: 7bf154c9ddf3a71abf15906cdb60773e8ae07b62
URLs:
gatherlozx[.]hopto[.]org