New Malspam Campaign Distributing Remote Access Trojan Posing as Trump Scandal Video
Cybersecurity researchers have unveiled a new malspam operation that aims to spread a remote access Trojan (RAT) by leveraging sensational claims of a scandal involving U.S. President Donald Trump. The campaign has been linked to deceptive emails featuring subject lines that promise enticing offers, such as “GOOD LOAN OFFER!!”, but lead unsuspecting users to download harmful files.
Affected emails contain an attachment titled “TRUMP_SEX_SCANDAL_VIDEO.jar.” Once downloaded, this Java archive installs Qua or Quaverse RAT, referenced in security databases as QRAT. Diana Lopera, a Senior Security Researcher at Trustwave, suggested that the creators of this campaign may be capitalizing on the media frenzy following the recent presidential elections, using a deliberately misleading filename that bears no relation to the email content.
The malspam campaign represents a new variant of the QRAT downloader that Trustwave previously identified in August. The infection process begins with the delivery of a spam message containing an attached or linked malicious ZIP file, which then retrieves a scrambled JAR file, obfuscated using Allatori’s Java obfuscator. This initial downloader sets up the Node.js environment on the compromised system, subsequently downloading a primary downloader known as “wizard.js.” This file is responsible for establishing persistence on the system and executing the Qnode RAT payload from a remote server.
QRAT possesses diverse capabilities, including gathering system information and executing file operations, while also being able to extract credentials from common applications such as Google Chrome and Microsoft Outlook. Interestingly, recent iterations of this malware have introduced a pop-up alert, misleading victims into believing that the JAR file is legitimate penetration testing software. This message requires user interaction—specifically, clicking an “Ok, I know what I am doing.” button—before the malware activates, suggesting a possible effort to create an air of legitimacy around the attack.
Lopera pointed out the unusual nature of such pop-ups, hypothesizing that they may be an attempt to cloak the malicious software’s true nature or shift culpability away from the original developers. To evade detection, the malicious code is fragmented into randomly numbered segments, a technique aimed at confusing security mechanisms.
This campaign has also seen changes in the malware’s structure; an increase in the file size and a more streamlined process has replaced the second-stage downloader, instead fetching a more recent RAT payload dubbed “boot.js.” Further updates to QRAT include employing base64 encoding for its code and maintaining persistence via a VBS script.
The ongoing evolution of this threat highlights its increasing sophistication, as observed by Trustwave. Lopera emphasizes the importance of administrators blocking such incoming JAR files at their email security gateways. Despite enhancements in the malware itself, the overall execution of the email campaign appears relatively basic, suggesting that more diligent outreach could enhance the likelihood of successful infiltration.
As this situation unfolds, cybersecurity professionals are reminded to remain vigilant in securing their systems against emerging threats like QRAT, while employing frameworks such as the MITRE ATT&CK taxonomy to better understand the tactics and techniques used by malicious actors. Techniques such as initial access, persistence, and privilege escalation are pertinent considerations when analyzing the potential risks associated with this new wave of threats.
