COVID-19 Lure Used to Spread Node.js Trojan

A Java downloader has been recently discovered to have a low detection rate, which is suspected to have been linked to COVID-19 related phishing attacks.

What is happening

The name of the Java downloader is Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”. The name suggests that it may have been used for phishing attacks, using COVID-19 as a lure. Running this file resulted in the download of a new, undetected malware sample written in Node.js. This trojan has been named “QNodeService.”

The situation

  • Node.js is mainly designed for web server development and is highly unlikely to be pre-installed on machines.
  • It is suspected that the use of this uncommon platform has enabled the trojan to evade detection.
  • The malware’s functions include downloading, uploading, and executing files; stealing credentials from browsers; and performing file management; among others.

What the experts are saying

  • As per Trend Micro, “A valid request path and access token are required to access files on the machine.”
  • Although the malware currently focuses on Windows machines, the code indicates that “cross-platform compatibility may be a future goal.”

What you can do

Block malware from getting through potential entryways, such as email, networks, and endpoints.

Worth noting

  • The HTTP-forward command permits the actors to download files without connecting the user’s personal computer.
  • The trojan can also steal location and IP addresses, transfer the stolen information to C2, and download extra malware payloads.

In essence

Threat actors are constantly coming up with new ways to build malware and affect as many systems as possible without being detected. They give their malware cross-platform compatibility, use platforms not usually used to build malware, and maintain persistence.