Researchers at Trustwave security have released the details of a new phishing campaign that is designed to infect victims with the Quaverse Remote Access Trojan (QRAT). The initial email uses a lure that promises the victim a loan that has a good “return on investment,” but the malicious attachment in the email is a Java Archive file named “TRUMP_SEX_SCANDAL_VIDEO.jar,” completely unrelated to a loan offer, and which does not contain any video. Researchers speculated that the attackers most likely change the malicious attachment depending on what is trending in the news. When the Java Archive (JAR) file is opened, an installer for QRAT will run and infect the victim computer. An installer for Node.js platform is set up and executes a second stage downloader called “wizard.js” that fetches and runs QRAT. However, before the download begins, a pop-up appears that warns the user that installing this can be used for remote access and penetration testing, yet many people are still falling victim. Apparently, the curiosity that people have with the promised video has been working in the threat actor’s favor allowing them to continue to infect machines even when there are clear warning signs that it is a threat. The malware uses several layers of obfuscation to try and evade being detected as malicious. The malware capabilities include stealing passwords, keylogging, file browsing, taking screenshots, and more that includes allowing the attackers to access sensitive information.
Analyst Notes
The attachment payload has improvements over previous campaigns that have been designed to deliver QRAT. Researchers warn that if the email lure becomes better, or the attachment begins to relate to the subject of the email, the campaign could become far more effective. The use of JAR file spamming is a common technique to deliver RATs. Email administrators should look at their company and decide if JAR files are a valid need within the company and look at the possibility of blocking them from inbound traffic. Educate employees so they can identify suspicious email messages. Ensure employees know not to give personal information or information about your organization over email and not to open attachments from unknown senders. Additionally, Binary Defense recommends investing in a 24/7 SOC solution like Binary Defense’s own Security Operations Task Force so that a team of analysts can monitor for threats like these and more, 24/7.
More can be read here: https://www.zdnet.com/article/this-new-phishing-attack-uses-an-odd-lure-to-deliver-windows-trojan-malware/
