Criminals are using the end of the Trump presidency to deliver a new remote access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.
As outgoing & ever controversial President Donald Trump continues to dominate headlines – especially in connection with Wed. night’s Washington Capital Hill mass storming, cyber-criminals have decided to horn in on the much-gossiped-about & yet to materialise — Trump sex tape as a lure for malware delivery.
A campaign has been uncovered that labels a malware downloader with the filename “TRUMP_SEX_SCANDAL_Video,” according to a new report from Trustwave researchers. It is being spread via malicious links in emails.
If clicked, the links do not take the user to a salacious video, but instead install QRAT, providing criminals with total remote access of an infected system.
Starting last Aug., Trustwave researchers reported seeing an uptick in phishing scams trying to push QRAT. This latest phishing attempt in interesting though, according to Trustwave researcher Diana Lopera, because the subject line & the filename were unrelated.
Good Loan Offer
“The email, with the subject “GOOD LOAN OFFER!!,” at 1st glance, looks like a usual investment scam,” Lopera commented in the report. “No obfuscation in the email headers or body is found. Interestingly, attached to the email is an archive containing a Java Archive (JAR) file called “TRUMP_SEX_SCANDAL_VIDEO.jar.”
Lopera added recent headlines surrounding the election provided plenty of cover for malicious actors to conduct their scams.
“We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded presidential elections, since the filename they used on the attachment is totally unrelated to the email’s theme,” Lopera outlined.
This QRAT is notable because it has several differences from its predecessors, Lopera explained.
“This threat has been significantly enhanced over the past few months since we 1st examined it,” Lopera explained. “To achieve the same end goal, which is to infect the system with a QNode RAT, the JAR file downloader characteristics & behaviour were improved.”
This version of code is encrypted with base64; the modules are hidden with Allatori Obfuscator; the victim network information is retrieved here from the service “hxxps://wtfismyip[.]com”; & finally, the password recovery also supports Chrome, Firefox, Thunderbird & Outlook, the report explained.
“The malicious code of this downloader is split up among…numbered files, along with some junk data that were added to them.” Lopera wrote.
The latest .JAR variant also includes a scam Microsoft ISC license, which serves up a message telling the user the .JAR file is being run for remote penetration testing, the report said.
“Upon the execution of the file “TRUMP_SEX_SCANDAL_VIDEO.jar”, a copy of it is created & then executed from the %temp% folder,” Lopera commented. “Then, a GUI informing the victim that the malicious JAR file is a remote access software used for penetration testing is launched.
The malicious behaviours of this sample start to manifest once the button ‘Ok, I know what I am doing’ is clicked,” Lopera stated.
String of Code
Another difference between this version & previous known .JAR files is a missing string of code.
“3rd, the string “qnodejs” which previously identified the files associated with this threat, is not in this variant,” she observed.
Earlier versions of the .JAR file contained information about the QHub service subscription necessary to communicate with the C2 server, the report outlined.
“The information about the QHub service subscription user we observed in the earlier variant is no longer contained in the JAR file,” Lopera commented.
To protect systems against this latest QRAT variant, Lopera advises that email administrators should block .JAR files at security gateways.
“While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, & we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated,” Lopera wrote.
“The spamming out of malicious JAR files, which often lead to RATs such as this, is quite common.”