A Trump Sex Video? No, It's a RAT!

While reviewing our spam traps, a particular campaign piqued our interest primarily because the attachment to the email does not coincide with the theme of the email body. When we investigated further, we discovered that its attachment is a variant of the QRAT downloader we blogged about last August.

The Mailspam

The email, with the Subject “GOOD LOAN OFFER!!”, at first glance, looks like a usual investment scam. No obfuscation in the email headers or body is found. Interestingly, attached to the email is an archive containing a Java Archive (JAR) file called “TRUMP_SEX_SCANDAL_VIDEO.jar”. We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded Presidential elections since the filename they used on the attachment is totally unrelated to the email’s theme.

Figure 1: The malspam

The Qrat Downloader Variant

The JAR file “TRUMP_SEX_SCANDAL_VIDEO.jar”, dubbed as “QNODE DOWNLOADER”, has the same purpose as the Node.Js QRAT downloaders we previously analyzed – to install into the infiltrated system the Qnode RAT. Other similarities with the older variants are as follows:

• the JAR file is obfuscated using Allatori Obfuscator;
• the installer of Node.Js is retrieved from the official website nodejs.org; and,
• this downloader still supports Windows platforms only.

Figure 2: The QNODE DOWNLOADER

We decided to examine the notable new features and changes of this variant, and the rest of the blog will tackle these variations. We recommend you read our earlier blog in conjunction with this one.

First, this JAR sample is significantly larger than the older samples we examined. Aside from the classes the same file name and length but with different cases, this JAR file also has data streams with just numbers in the filename. The malicious code of this downloader is split up among these numbered files, along with some junk data that were added to them.

Figure 3: The JAR attachment classes viewed using the tools Java Decompiler and Hiew

Second, a GUI and a supposed Microsoft ISC License are added into the JAR’s code. Upon the execution of the file “TRUMP_SEX_SCANDAL_VIDEO.jar”, a copy of it is created and then executed from the %temp% folder. Then, a GUI informing the victim that the malicious JAR file is a remote access software used for penetration testing is launched. The malicious behaviors of this sample start to manifest once the button “Ok, I know what I am doing.” is clicked. This pop-up is a little odd and is perhaps an attempt to make the application look legitimate, or deflect responsibility from the original software authors.

Figure 4: The pop-up User Interface and its code snippet

 

Figure 5: The ISC License named owner is Microsoft

Third, the string “qnodejs“ which previously identified the files associated with this threat, is not in this variant. The folder name and the file names within this JAR file no longer contains this string. The Node.Js installation folder is still at %userprofile%, however, the folder is not prepended with “qnodejs-“ anymore. Also, in contrast to our first blog, this JAR saves its downloaded files at a QHub folder %temp%\_qhub_node_{random string} instead of at a folder named “qnodejs“ under the path of the installed Node.Js.

Figure 6: The code comparison of the installation of Node.Js platform from the first blog

Fourth, when downloading next stage malware, only the argument “--hub-domain” is required when communicating to the command-and-control servers (C&Cs). After setting up the Node.Js platform, a Node.Js process is created to download the next malware in the infection chain. The argument “--hub-domain” along with the C&Cs is the only data supplied to the process. The information about the QHub service subscription user we observed in the earlier variant is no longer contained in the JAR file.

Figure 7: The Node.Js process when initially contacting the C&Cs

Lastly, the JAR file downloads a file named “boot.js” and saves it at %temp%\_qhub_node_{random}. Unfortunately, we were not able to replicate this part of the infection chain.

Figure 8: The code snippet of the installation of second-stage malware

To get an idea of what the downloaded file “boot.js” might be, we looked in VirusTotal for a similar file with the same filename, tagged as text, and file size at least 10MB, and we were able to find this sample. It appears that with this variant, the malware chain has been shortened. The second-stage downloader has been removed and that the jar file immediately downloads the payload “boot.js”, which is the Node.Js QRAT.

Figure 9: The boot.js sample from VirusTotal

We checked the file “boot.js” for the characteristics and activities it will perform which are similar to the payload ‘qnodejs-win32-ia32.js SHA1: 31F541074C73D02218584DF6C8292B80E6C1FF7D’ from our first blog and below are our findings:

• Code is encrypted with base64
• Modules are obfuscated
• Obtains network information from the service hxxps://wtfismyip[.]com
• Password-recovery functionality supports the same applications Chrome, Firefox, Thunderbird, and Outlook

With regards to the persistence, which was the task of the second stage downloader “wizard.js” in previous samples, the payload “boot.js” now accomplishes this. A VBS script %userprofile%\qhub\node\2.0.10\boot.vbs which launches the payload is created and then set to run at the typical registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

The commands that this variant of QRAT supports are simpler than previous versions, as shown below.

Figure 10: The code snippet of the commands this version of QRAT accepts

Summary

This threat has been significantly enhanced over the past few months since we first examined it. To achieve the same end goal, which is to infect the system with a QNode RAT, the JAR file downloader characteristics and behavior were improved.

• To increase the chances of this threat being executed by the email recipient, the attachment name was based on a prominent figure, and a GUI indicating that the malicious JAR is a tool used in penetration testing.
• To evade detection, the malicious code of the downloader was split-up into different buffers inside the JAR. Also, the string “qnodejs” which can distinguish the files related to this threat was not used anymore.
• To challenge the existing remediations of this threat, the names of the other files it created and downloaded were changed and they are put into different locations, not inside the Node.Js installation folder.
• To deliver the final payload into the system, the infection chain was modified – the JAR directly downloads the payload.

While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated. The spamming out of malicious JAR files, which often lead to RATs such as this, is quite common. Email administrators should be looking to take a hard line against inbound JARs and block them in their email security gateways.

IOCs

Files:
TRUMP_SEX_SCANDAL_VIDEO.jar (61762 bytes) SHA1: B12542229561341F028D09D3B864F9732B431891
boot.js (13293765 bytes) SHA1: 7bf154c9ddf3a71abf15906cdb60773e8ae07b62

URLs:
gatherlozx[.]hopto[.]org