New QRAT Variant Distributed via Trump-themed Spam Campaign

Cyber-criminals constantly take advantage of the “hottest” media topics to lure victims and infect them with malware. This time hackers decided to profit from the increased attention to the last US presidential elections and launched a Donald Trump-themed spam campaign. The final goal of this operation is to distribute the latest QRAT Trojan malware variant, dubbed QNode. Similarly to its predecessor, QNode could perform password dumping, extract users’ sensitive data, and provide remote control of the victim’s machine.

What is QRAT Malware?

Quaverse Remote Access Trojan (QRAT) first emerged in May 2015 as a highly obfuscated Java-based malware promoted on the dark web via “malware-as-a-service” (MaaS) scheme. The Trojan is typically distributed via phishing scams in a form of Java Archive (JAR) attachments. In case downloaded, the JAR file fetches a Node.JS second-stage loader responsible for persistence and execution of the final payload. The main payload is also written in Node.Js, having its code modules obscured with Allatori Obfuscator to evade detection. Notably, the QRAT downloader is able to attack only Windows environments. However, Node.Js composition suggests new cross-platform variants might emerge soon. 

The malicious arsenal of the QRAT Trojan is quite impressive. Particularly, the malware is able to dump passwords from the system applications, take screenshots, perform keylogging, and conduct file-browsing. As a result, adversaries could gain full access to the targeted machine and retrieve a broad range of sensitive data. 

QNode Malspam Campaign 

Security researchers are observing a significant surge in phishing campaigns aimed at QRAT malware infection. The latest phishing operation in the spotlight is quite interesting. The attack starts with a phishing email that has the subject line “GOOD LOAN OFFER!!.” Although it looks like a typical investment scam, the attached file is completely unrelated to this topic. Particularly, it is named as “TRUMP_SEX_SCANDAL_VIDEO,” presumably in an attempt to exploit the noticeable hype surrounding the outgoing US President. In case downloaded, the malicious file infects victims’ PCs with QNode, the latest QRAT variant.

The QNode analysis shows that malware operators have significantly improved Trojan’s functionality. To make QNode downloader more evasive, its code is now split across different files inside the JAR. Also, a GUI and a fake Microsoft ISC License were added to make the malware installation less suspicious. Finally, the files created and loaded by malware are now moved out of Node.JS installation folder and renamed. Such an improvement contributes to QNode’s ability to fly under the radar. QNode’s malicious capabilities are almost the same as in previous versions, supporting password-dumping from Chrome, Firefox, Thunderbird, and Outlook. 

QRAT Malware Detection

To enhance the QRAT Trojan detection, you can download the latest Sigma rule from Osman Demir, one of the most prolific contributors to our Threat Detection Marketplace SOC content library:

https://tdm.socprime.com/tdm/info/b9Lq6emcCgOs/y8eY9nYBTwmKwLA9R8cw/

The rule has translations to the following platforms: 

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio.

EDR: Microsoft Defender ATP, Carbon Black

MITRE ATT&CK: 

Tactics: Initial Access, Defense Evasion

Techniques: Spearphishing Attachment (T1566), File and Directory Permissions Modification (T1222)

Subscribe to the Threat Detection Marketplace for free to reach more relevant SOC content items tagged with particular CVE, TTPs used by APT groups, and multiple MITRE ATT&CK® parameters. Ready to contribute to the threat hunting initiatives? Join our Threat Bounty program to enrich the SOC content library and share it with the Threat Detection Marketplace community.