New phishing attack uses an odd lure to deliver Windows trojan malware
QRat trojan malware provides hackers with complete control of infected machines and the ability to steal passwords and other sensitive data – but the phishing emails are unconventional.
A new phishing campaign is attempting to lure victims into downloading malware which gives cyber criminals full control over infected Microsoft Windows machines.
Quaverse Remote Access Trojan (QRat) first emerged in 2015 and has remained successful because it’s both difficult to detect under multiple layers of obfuscation and provides malicious hackers with remote access to computers of compromised victims.
The capabilities of this trojan malware include stealing passwords, keylogging, file browsing, taking screenshots and more which all enable hackers to gain access to sensitive information.
Now cybersecurity researchers at Trustwave have identified a new QRat campaign which is attempting to lure people into downloading the latest version of the malware, something they describe as “significantly enhanced”.
The initial phishing email claims to offer the victim a loan with a “good return on investment” that could potentially catch the eye of victims. However, the malicious attachment isn’t related to the subject of the phishing email at all, instead claiming to contain a video of President Donald Trump.
Researchers suggest the attackers have opted for this attachment based on what is currently newsworthy. Whatever the reason, attempting to open the file – a Java Archive (JAR) file – will result in running an installer for QRat malware.
The malware uses several layers of obfuscation in order to avoid being detected as malicious activity – and it has also added new techniques in order to provide additional means of avoiding detection.
However, the process even comes with a pop-up warning, telling the user the software they’re installing can be used for remote access and penetration testing – if the user accepts this QRat is downloaded onto the system, with the malware being retrieved by modular downloads to help avoid detection.
It might seem strange that people would agree to this when it seems unrelated to the supposed video they’re trying to access but manipulating curiosity is still an incredibly useful tactic deployed by cyber criminals.
“The spamming out of malicious JAR files, which often lead to RATs such as this, is quite common. Email administrators should be looking to take a hard line against inbound JARs and block them in their email security gateways,” said Diana Lopera, senior security researcher at Trustwave.
It’s also possible that a better designed email lure could result in this QRat campaign being more effective in future.
“While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated,” Lopera added.
Read the original article over at ZDNet.com.