Researchers at Trustwave security have released the details of a new phishing campaign that is designed to infect victims with the Quaverse Remote Access Trojan (QRAT). The initial email uses a lure that promises the victim a loan that has a good “return on investment,” but the malicious attachment in the email is a Java Archive file named “TRUMP_SEX_SCANDAL_VIDEO.jar,” completely unrelated to a loan offer, and which does not contain any video. Researchers speculated that the attackers most likely change the malicious attachment depending on what is trending in the news. When the Java Archive (JAR) file is opened, an installer for QRAT will run and infect the victim computer. An installer for Node.js platform is set up and executes a second stage downloader called “wizard.js” that fetches and runs QRAT. However, before the download begins, a pop-up appears that warns the user that installing this can be used for remote access and penetration testing, yet many people are still falling victim. Apparently, the curiosity that people have with the promised video has been working in the threat actor’s favor allowing them to continue to infect machines even when there are clear warning signs that it is a threat. The malware uses several layers of obfuscation to try and evade being detected as malicious. The malware capabilities include stealing passwords, keylogging, file browsing, taking screenshots, and more that includes allowing the attackers to access sensitive information.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased