Covid-19 phishing campaigns are on the rise as criminals are taking advantage of the virus pandemic outbreak. The newest payload which is a Node.js Trojan which is otherwise known as QnodeService. According to the available information the detection rate is very low and downloaded via a Java script.
Previously Undetected QNodeService Node.Js Trojan Delivered Via Covid-19 Phishing Messages
A new Node.js Trojan has been detected in a phishing campaign that is characterized as a threat with a very low detection rate. The campaign makes use of fake Tax Relief email notifications that include a file attachment in the jar format — a Java package format. The message aims to manipulate the victims into believing that they are receiving important documents and must open them. When they are opened this Java file will lead to the QNodeService Trojan infection.
In comparison with other malware of this category the choice of Node.js as the programming language of choice is a non-standard option. One of the reasons why it was chosen is because it can be interpreted by all modern web browsers and this allows it to be cross-platform. Additionally as it is delivered via a Java payload dropper it may evade some anti-virus checks.
As soon as the Java file is triggered it will perform some preliminary system checks before deploying the malware. It will check the system architecture and download the respective virus version from a remote hacker site — both 32 and 64-bit platforms are supported. It will also download an auxiliary file which is used to establish a connection to the hacker-controlled server.
QNodeService Trojan Operation: How The Malware Works
The actual QNodeService Trojan infection will begin by setting itself as a persistent threat by adding an entry for itself in the Windows Registry and delivering another payload. The malware is written by the hackers in order to be extended — the Node.js code allows is to be run on various platforms and also can load other modules which may be implemented in future attacks.
The full list of supported commands includes the following:
redownloading of the malware, removal of Windows Registry values, network address information gathering, label returning, generation of an unique signature, architecture and platform information retrieval, downloading of user profile directory, retrieval of full path address for a given file, commands execution, files removal, HTTP forward access command execution, files listing, directory creation, uploading of files and listing of passwords,
A further update issued by the hackers also added the ability to add in tags, a distinctive feature of this QNodeService Node.js Trojan is that it can use the HTTP forward option in order to download various files without making a direct connection. As this type of viruses are created with the intention of infecting as many users as possible and designed to run on popular operating system we expect that further updates to it are going to be issued. Node.js code can be run even on mobile devices — smartphones and tablets. Other common phishing tactics can also be used to send them.