As outgoing President Donald Trump continues to dominate headlines, cybercriminals have decided to horn in on the much-gossiped-about — and yet to materialize — Trump sex tape as a lure for malware delivery.
A campaign has been uncovered that labels a malware downloader with the filename “TRUMP_SEX_SCANDAL_Video,” according to a new report from Trustwave researchers. It’s being spread via malicious links in emails.
If clicked, the links don’t take the user to a salacious video, but instead install QRAT, providing criminals with total remote access of an infected system.
QRAT
First discovered in 2015, the Quaverse Remote Access Trojan (QRAT) is Java-based, remote access trojan (RAT) supercharged by plug-ins from Quaverse, Trustwave explained.
Starting last August, Trustwave researchers reported seeing an uptick in phishing scams trying to push QRAT. This latest phishing attempt in interesting though, according to Trustwave researcher Diana Lopera, because the subject line and the filename were unrelated.
“The email, with the subject “GOOD LOAN OFFER!!,” at first glance, looks like a usual investment scam,” Lopera said in the report about the find. “No obfuscation in the email headers or body is found. Interestingly, attached to the email is an archive containing a Java Archive (JAR) file called “TRUMP_SEX_SCANDAL_VIDEO.jar.”
Lopera added recent headlines surrounding the election provided plenty of cover for malicious actors to conduct their scams.
“We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded presidential elections, since the filename they used on the attachment is totally unrelated to the email’s theme,” Lopera said.
QRAT Variants
This QRAT is notable because it has several differences from its predecessors, Lopera explained.
“This threat has been significantly enhanced over the past few months since we first examined it,” Lopera said. “To achieve the same end goal, which is to infect the system with a QNode RAT, the JAR file downloader characteristics and behavior were improved.”
This version of code is encrypted with base64; the modules are hidden with Allatori Obfuscator; the victim network information is retrieved here from the service “hxxps://wtfismyip[.]com”; and finally, the password recovery also supports Chrome, Firefox, Thunderbird and Outlook, the report explained.
“The malicious code of this downloader is split up among…numbered files, along with some junk data that were added to them.” Lopera wrote.
The latest .JAR variant also includes a scam Microsoft ISC license, which serves up a message telling the user the .JAR file is being run for remote penetration testing, the report said.
“Upon the execution of the file “TRUMP_SEX_SCANDAL_VIDEO.jar”, a copy of it is created and then executed from the %temp% folder,” Lopera said. “Then, a GUI informing the victim that the malicious JAR file is a remote access software used for penetration testing is launched. The malicious behaviors of this sample start to manifest once the button ‘Ok, I know what I am doing’ is clicked,” Lopera said.
Another difference between this version and previous known .JAR files is a missing string of code.
“Third, the string “qnodejs” which previously identified the files associated with this threat, is not in this variant,” she observed.
Earlier versions of the .JAR file contained information about the QHub service subscription necessary to communicate with the C2 server, the report said.
“The information about the QHub service subscription user we observed in the earlier variant is no longer contained in the JAR file,” Lopera said.
‘Amateurish’ Attempt
To protect systems against this latest QRAT variant, Lopera advises that email administrators should block .JAR files at security gateways.
“While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated,” Lopera wrote. “The spamming out of malicious JAR files, which often lead to RATs such as this, is quite common.”
Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s software supply-chain prepared for an attack? On Wed., Jan. 20 at 2p.m. ET, start identifying weaknesses in your supply-chain with actionable advice from experts – part of a limited-engagement and LIVE Threatpost webinar. CISOs, AppDev and SysAdmin are invited to ask a panel of A-list cybersecurity experts how they can avoid being caught exposed in a post-SolarWinds-hack world. Attendance is limited: Register Now and reserve a spot for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.