This new, unusual Trojan promises victims COVID-19 tax relief

QNodeService’s codebase may have helped it avoid detection by traditional antivirus solutions.
Written by Charlie Osborne, Contributing Writer

A new Trojan malware sample has appeared on the radar of cybersecurity researchers following evidence it may be being used in coronavirus-related phishing schemes. 

First noticed by MalwareHunterTeam, the Trojan sample was connected to a file, "Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar," and was only detected at first by ESET's antivirus engine. 

Dubbed QNodeService, the Trojan lands on systems through a Java downloader embedded in the .jar file, Trend Micro researchers said on Thursday

The malware is unusual as it is written in Node.js, a language primarily reserved for web server development.

"However, the use of an uncommon platform may have helped evade detection by antivirus software," the team notes.

The Java downloader, obfuscated via Allatori in the lure document, grabs the Node.js malware file -- either "qnodejs-win32-ia32.js" or "qnodejs-win32-x64.js" -- alongside a file called "wizard.js." 

Either a 32-bit or 64-bit version of Node.js is downloaded depending on the Windows system architecture on the target machine. 

Wizard.js' job is to facilitate communication between QNodeService and its command-and-control (C2) server, as well as to maintain persistence through the creation of Run registry keys.  

After executing on an impacted system, QNodeService is able to download, upload, and execute files; harvest credentials from the Google Chrome and Mozilla Firefox browsers, and perform file management. 

CNET: US accuses China of trying to hack coronavirus vaccine research

In addition, the Trojan can steal system information including IP address and location, download additional malware payloads, and transfer stolen data to the C2. 

These functions are typical of many Trojan variants, but there is an interesting function -- the "http-forward" command -- which allows attackers to download files without directly connecting to a victim's PC. 

"A valid request path and access token are required to access files on the machine," Trend Micro says. "The C2 server must first send "file-manager/forward-access" to generate the URL and access token to use for the http-forward command later."

Trend Micro says that the malware is focused on Windows machines but there are indicators in the code that "cross-platform compatibility may be a future goal."

TechRepublic: Phishing campaign exploits Symantec URL Protection to cover its tracks

Earlier this month, IBM Security researchers documented changes noticed in the Zeus Sphinx banking Trojan due to its integration with new COVID-19 phishing campaigns. 

The Trojan has been relatively dormant for years, but now, Zeus Sphinx is receiving frequent upgrades, including C2 and encryption changes. 

The malware has been spotted in fraudulent campaigns that promise victims coronavirus relief payments and assistance. 

Cybersecurity reads for every hacker's bookshelf

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards