Threat Watch

Fake US Treasury Emails Spreads QNodeService Malware

A new spam campaign, discovered by MalwareHunterTeam and reported to Abuse.ch, falsely claims that payment for a government contract was not paid due to incorrect banking information. If the recipient opens the attachment, their computer will be infected with malware. The new malware, named QNodeService, makes use of the legitimate and popular software framework Node.js. QNodeService is a remote access trojan that also steals passwords. The email asks the user to examine an attached document for accuracy, and claims that if they do not, the proposed payment will be sent to the coronavirus disaster relief funds. Attached to the email is an archive called “contract payment.zip” that contains a file named “Contract Payment.jar.” When executed, this Java Archive (JAR) file will download QNodeService and a script called wizard.js and store their packages in a folder on the infected system. According to a report by TrendMicro, once this is installed it has full control over the victim’s computer and can steal all of its current data.

ANALYST NOTES

Emails that deliver threats such as this are commonplace in today’s computer world. Once infected, users should assume that their login credentials are compromised and change their passwords immediately. Because this malware can also infect other systems on the network, network administrators should perform routine audits on their networks to check for infections. The best way to detect when computers are compromised by attackers is to monitor workstations and servers at all times, using dedicated internal security staff or a managed security service such as the Binary Defense Security Operations Center (SOC). A SOC can monitor a company’s endpoints for attacker behaviors 24 hours a day to detect and defend from intrusions, whether they use malware or login remotely with stolen credentials, before they have a chance to do any damage.

To read more: https://www.bleepingcomputer.com/news/security/fake-us-dept-of-treasury-emails-spreads-new-nodejs-malware/