A new phishing campaign has been observed using a fake Donald Trump video as a lure for malware delivery. The campaign enables hackers to remotely control the infected system via QRat and provides the ability to steal passwords, along with sensitive data.
What has happened?
The phishing emails use unrelated subject lines and filename. The email subject claims to offer the victim a loan with a good value for money investment to entice victims. However, the email comes with a malicious attachment, claiming to be a video of President Donald Trump.
- If a user attempts to open the file, a Java Archive (JAR) file, will result in the execution of the QRat installer.
- The trojan uses multiple layers of obfuscation to avoid being detected as malicious activity. The code is encrypted in base64. In addition, it uses Allatori Obfuscator to hide its modules.
- The malicious code of the malware downloader is split into numbered files, along with some junk data.
- In addition, the malware uses a scam Microsoft ISC license, which shows a message telling the user that the JAR file is being run for remote penetration testing.
- Recently, ElectroRAT was spotted to be stealing cryptocurrency wallets of thousands of Windows, Linux, and macOS users.
- APT27 has been observed to be using PlugX RAT in a set of ransomware incidents.
The increasing use of RATs for cyberattacks and that too with additional layers of obfuscation makes security a concerning issue. Thus, experts suggest email administrators take action against inbound JARs and block them in their email security gateways to prevent JAR-based malware attacks. In addition, organizations should provide training to their employees for spotting phishing emails.