Rewterz Threat Alert – QNodeService RAT Distributed in COVID19 Campaign, Spoofs Reuters News Network

October 8, 2020

Severity

High

Analysis Summary

Fake emails have been detected pretending to come from “Reuters News Network”, which is a well known news organization company, using the #COVID19 infection of Donald Trump as a lure to distribute QNodeService RAT. Message body of these phishing emails is in English as well as Arabic. The email claims to break a news from America, about Donald Trump’s health, as the email subject suggests. It has an attachment which is supposed to be a video which in fact is a zip file. The malware has also been used in a Covid-19-themed phishing campaign earlier. Running the file attached in the email led to the download of a new, malware sample written in Node.js; this trojan is dubbed as “QNodeService”.The malware has functionality that enables it to download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows systems, but its design and certain pieces of code suggest cross-platform compatibility may be a future goal.

Impact

Credential Theft
Data Exfiltration
Code Execution
Unauthorized Remote Access

Indicators of Compromise

Domain Name

piolozxx[.]ddns[.]net

Email Subject

USA President Donald Trump health is very serious!!!! We have the evidence here

From Email

sales@autosellerbulknews[.]life

MD5

c4ceec1bf73783dcb2ee150b771e23a4
4589aa06add25d572381c35103b1df8c
7125eea628cb4e5c1fb434438a4078d5

SHA-256

bdc561ae53aa52900af298a57b5e2f920f9cdf74bccf674735dbab318499c2d0
5fb3a9eac63a469c8d640cea485939caaebeabe6b56586344941f3329bdea265
ccc9d33299c1e6c358f925183ec60168764b34b2f824fba218ba41c89b5efc85

SHA1

20a9f2f207bbb388076383a0ed2c5205ae299433
19a6edd5aa7cd9a1b75543cfade939601dd3a59b
42bdf99bde24425de761a6b4313e89cfc7cb8320

URL

http[:]//piolozxx[.]ddns[.]net/

Remediation

Block the threat indicators at their respective controls.
Do not download files attached in untrusted emails.