![]() Gets the platform (windows) and architecture (x32/圆4) of the system. Returns label set by the “set-label” command Gets IP address, location, hostname, etc. Signals wizard.js to remove the Run key entry from the system and terminate. Signals wizard.js to redownload the main payload. We deobfuscated the code to be able to start the analysis.īelow is a list of commands accepted by the malware: Command Allatori adds junk code and obfuscates strings to make analysis more difficult. The sample mentioned above, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, serving as the Java downloader, has been obfuscated with the Allatori obfuscator. We analyzed these components to learn more about their behavior. The infection begins with a Java downloader which, in addition to downloading Node.js, downloads the following files: “wizard.js”, and “qnodejs-win32-ia32.js” or “qnodejs-win32-圆4.js”. It targets Windows systems, but its design and certain pieces of code suggest cross-platform compatibility may be a future goal. ![]() The malware has functionality that enables it to download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. ![]() However, the use of an uncommon platform may have helped evade detection by antivirus software. The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. Running this file led to the download of a new, undetected malware sample written in Node.js this trojan is dubbed as “QNodeService”. Its name, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, suggests it may have been used in a Covid-19-themed phishing campaign. We recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |