Rewterz Threat Alert – ‘Bahamut’ Threat Group Attacks Targets in the Middle East and South Asia
October 8, 2020Rewterz Threat Alert – WordPress Flaw to Leverage Zerologon Vulnerability; Attacks on Domain Controllers
October 8, 2020Rewterz Threat Alert – ‘Bahamut’ Threat Group Attacks Targets in the Middle East and South Asia
October 8, 2020Rewterz Threat Alert – WordPress Flaw to Leverage Zerologon Vulnerability; Attacks on Domain Controllers
October 8, 2020Severity
High
Analysis Summary
Fake emails have been detected pretending to come from “Reuters News Network”, which is a well known news organization company, using the #COVID19 infection of Donald Trump as a lure to distribute QNodeService RAT. Message body of these phishing emails is in English as well as Arabic. The email claims to break a news from America, about Donald Trump’s health, as the email subject suggests. It has an attachment which is supposed to be a video which in fact is a zip file. The malware has also been used in a Covid-19-themed phishing campaign earlier. Running the file attached in the email led to the download of a new, malware sample written in Node.js; this trojan is dubbed as “QNodeService”.The malware has functionality that enables it to download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows systems, but its design and certain pieces of code suggest cross-platform compatibility may be a future goal.
Impact
- Credential Theft
- Data Exfiltration
- Code Execution
- Unauthorized Remote Access
Indicators of Compromise
Domain Name
piolozxx[.]ddns[.]net
Email Subject
USA President Donald Trump health is very serious!!!! We have the evidence here
From Email
sales@autosellerbulknews[.]life
MD5
- c4ceec1bf73783dcb2ee150b771e23a4
- 4589aa06add25d572381c35103b1df8c
- 7125eea628cb4e5c1fb434438a4078d5
SHA-256
- bdc561ae53aa52900af298a57b5e2f920f9cdf74bccf674735dbab318499c2d0
- 5fb3a9eac63a469c8d640cea485939caaebeabe6b56586344941f3329bdea265
- ccc9d33299c1e6c358f925183ec60168764b34b2f824fba218ba41c89b5efc85
SHA1
- 20a9f2f207bbb388076383a0ed2c5205ae299433
- 19a6edd5aa7cd9a1b75543cfade939601dd3a59b
- 42bdf99bde24425de761a6b4313e89cfc7cb8320
URL
http[:]//piolozxx[.]ddns[.]net/
Remediation
- Block the threat indicators at their respective controls.
- Do not download files attached in untrusted emails.