Insights and Analysis by Matthew Stewart
We recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.
The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software.
The malware has functionality that enables it to download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows systems, but its design and certain pieces of code suggest cross-platform compatibility may be a future goal.
The infection begins with a Java downloader which, in addition to downloading Node.js, downloads the following files: “wizard.js”, and “qnodejs-win32-ia32.js” or “qnodejs-win32-x64.js”. We analyzed these components to learn more about their behavior.
Analysis of Java Downloader
The sample mentioned above, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, serving as the Java downloader, has been obfuscated with the Allatori obfuscator. Allatori adds junk code and obfuscates strings to make analysis more difficult. We deobfuscated the code to be able to start the analysis.
Figure 1. Decompiled code of the sample (obfuscated with Allatori ..
Support the originator by clicking the read the rest link below.
