QNodeService

By GoldSparrow in Trojans

Translate To:

Numerous cyber crooks are using the Coronavirus pandemic to make cash off the backs of innocent users. Recently, cybersecurity experts have spotted a new COVID-19-themed email campaign, which delivers a corrupted JAVA file to its targets.

Malware developers usually rely on a specific set of programming languages, and they stray from the path rarely. Sometimes, however, they seem to experiment with alternatives, and this is one of those exceptions - the crooks behind this project have opted to use Node.JS for the creation of their malware. This is a framework built upon JavaScript, and it is used for websites and Web services typically - however, the crooks behind QNodeService have decided to use it with evil intentions. However, if the targeted system does not have the Node.JS framework installed, the attack will not be successful. This means that the attackers have to pick their targets very carefully to ensure that the campaign is carried out successfully.

It is likely that the cyber crooks responsible for QNodeService are targeting large companies’ employees. The phishing email, which the targeted employee would receive, will contain a corrupted attachment named ‘Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar.’ Evidently, the attackers are trying to trick the user into opening the corrupted attachment by masking it as a potential government fund distributed due to the ongoing Coronavirus pandemic.

When the QNodeService threat compromises a system that matches its criteria, it will gain persistence by modifying the Windows Registry. Next, the QNodeService will connect to the C&C (Command & Control) server of the attackers and send a message to it. This appeared rather unusual as the message contained a user ID and a string reading ‘subscription.’ This makes malware analysts believe that the QNodeService may be rented out to other hackers who are willing to pay to use it for their own nefarious ends. The QNodeService is able to receive various commands from the C&C server of its authors. This threat is able to:

Collect files from the compromised host.
Browse and execute files.
Gather data regarding the host, such as computer name, username, hardware, and software data, as well as the system’s IP address.
Download and plant additional files from the C&C server.
Collect passwords from the Mozilla Firefox and Google Chrome Web browsers.
Update itself with the help of the C&C server.

Do not forget that it is crucial to protect your system with a trustworthy anti-virus application. Also, make sure to update all your software regularly, as this would make you less vulnerable to a cyber-attack.

Enigma Software Group Prevails Over Malwarebytes at the Ninth Circuit

Search

Change Region

QNodeService

Submit Comment

Trending

'YouPorn' Email Scam

Safe Search Eng

Findtheirreport.com

Most Viewed

Is Lookmovie.io Safe?

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen