QNodeService Trojan spreads via fake COVID-19 tax relief

Pierluigi Paganini May 16, 2020

Experts spotted a new malware dubbed QNodeService that was involved in Coronavirus-themed phishing campaign, crooks promise victims COVID-19 tax relief.

Researchers uncovered a new malware dubbed QNodeService that was employed in a Coronavirus-themed phishing campaign. The operators behind the campaign use COVID-19 lure promising victims tax relief.

The phishing messages use Trojan sample associated with a file named “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar,” experts from MalwareHunterTeam noticed that the malicious code was only detected by ESET AV.

The QNodeService Trojan is written in Node.js and is delivered through a Java downloader embedded in the .jar file, Trend Micro warns. 

“Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.” reads the analysis published by Trend Micro.

“The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software.”

QNodeService is able to perform a broad range of activities, such as download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management. The malware can also steal system information including IP address and location, download additional malware payloads, and exfiltrate stolen data. The actual malware only targets Windows systems, but experts believe that developers are working to make it a cross-platform threat.

The Java downloader is obfuscated via Allatori in the bait document, the malware downloads the Node.js malware file (either “qnodejs-win32-ia32.js” or “qnodejs-win32-x64.js”) and a file called “wizard.js.” 

Either a 32-bit or 64-bit version of Node.js is dropped depending on the Windows system architecture of the target machine. 

The wizard.js file is an obfuscated Javascript (Node.js) file used to acheve persistence by creating a “Run” registry key entry and for downloading another malicious payload.

One of the most interesting feature implemented by the QNodeService malware is the support for an “http-forward” command, which allows attackers to download files without directly connecting to a victim’s PC. 

“Of particular note is the http-forward command, which allows an attacker to download a file without directly connecting to the victim machine, as shown below in figures 13-16.” continues Trend Micro. “However, a valid request path and access token are required to access files on the machine. The C&C server must first send “file-manager/forward-access” to generate the URL and access token to use for the http-forward command later.”

Trend Micro researchers included Indicators of Compromise (IoCs) in their report.

Unfortunately, Coronavirus-themed attacks continue to target individuals, businesses, and organizations worldwide.

At the end of March, experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware that focused on government relief payment.

Operators were spreading it in a spam campaign aimed at stealing victims’ financial information, the spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

Researchers revealed that the malware is receiving constant upgrades to improve its capabilities. 

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment