The QNode RAT is a Remote Access Trojan that can give remote attackers access to the system for malicious purposes. Its features include performing standard file operations like renaming or moving files and stealing credentials from browsers and e-mail clients. Users should monitor incoming e-mails for scams and let their security services remove the QNode RAT and related components (such as QRat-based Trojan downloaders).
Mismatched Tactics for Trojan Deliverymen
Although most tactics include lead-in themes that fool users into endangering their PCs and other devices, some aren't content with just the one. A recent series of attacks are taking advantage of political news in the United States for delivering a Remote Access Trojan, the QNode RAT. What's unusual about the template is that the attachments and subject bodies don't match, for a clear re-purposing of an old template to new ends.
The attack starts with the old story of an e-mail carrying an attached file. In grammatically-questionable English, the message states that the reader qualifies for financial assistance, with loans of up to a hundred million USD. The attached file, a JAR (Java Archive), has a totally-unrelated name: one that references a supposed sex scandal involving Donald Trump. The retrofitting of the spam to this new angle might be due to contentious political upheaval in the US related to the presidential election.
However, malware experts note that the Trojan downloader structure that, eventually, installs the QNode RAT is familiar. There are substantial improvements to the obfuscation that hide the threats from security solutions, such as removing identity-related strings and breaking the payload apart into multiple files. Even so, the Trojan downloader is a variant of old ones for QRat campaigns. The same handful of Turkish criminals are also responsible for the Qarallax, Quaverse and Remote Access Trojans.
What Opening the Door to Criminal Code Does for a PC
The QNode RAT's download and initialization include the unusual choice of a visible pop-up GUI that alerts the user to the software's nature as a remote access utility, supposedly for 'penetration tests.' Since this option blows the Trojan's cover right away, users aren't likely to be taken aback by infections in the scam's current state, even despite the fake topics. Those who ignore the warning may experience the full effects of a QNode RAT's payload, such as:
- Theft of passwords from browsers (Firefox, Chrome) and e-mail clients (Thunderbird, Outlook)
- Letting attackers perform various file operations (renaming, deleting, etc.)
- Theft of system information that the attackers could abuse for further attempts (such as dropping a Trojan that's compatible with the OS version)
The QNode RAT is a Windows-only threat. Since its e-mails are amateurish, most users who read the contents will stand a reasonable chance of catching the scam before the infection chain starts. Of course, all users can leverage their security solutions for removing the QNode RAT and the Trojan downloaders that enabled its presence in the first place.
A more well-thought-out template to the QNode RAT's installation scam could result in far more victims than the current, rushed implementation. Even this, though, shows that criminals will jump on opportunities for scams according to the winds of news media – and the QNode RAT is far from the first time that the name 'Trump' has become a theme for Black Hat software.