It’s Not the Trump Sex Tape, It’s a RAT

  • Criminals are utilizing the finish of the Trump presidency to produce a new distant-access trojan (RAT) variant disguised as a sex movie of the outgoing POTUS, researchers report.

    As outgoing President Donald Trump carries on to dominate headlines, cybercriminals have determined to horn in on the a great deal-gossiped-about — and nevertheless to materialize — Trump intercourse tape as a lure for malware shipping.

    A campaign has been uncovered that labels a malware downloader with the filename “TRUMP_Intercourse_SCANDAL_Video,” in accordance to a new report from Trustwave scientists. It’s currently being unfold by using destructive back links in emails.

    If clicked, the hyperlinks really do not acquire the person to a salacious video, but in its place set up QRAT, offering criminals with complete distant obtain of an contaminated technique.


    Initial found in 2015, the Quaverse Remote Entry Trojan (QRAT) is Java-centered, distant entry trojan (RAT) supercharged by plug-ins from Quaverse, Trustwave defined.

    Starting off previous August, Trustwave scientists noted looking at an uptick in phishing cons hoping to force QRAT. This newest phishing endeavor in appealing nevertheless, according to Trustwave researcher Diana Lopera, for the reason that the issue line and the filename ended up unrelated.

    The email. Resource: Trustwave.

    “The email, with the topic “GOOD Bank loan Give!!,” at initially look, appears like a typical financial investment rip-off,” Lopera stated in the report about the come across. “No obfuscation in the email headers or human body is identified. Curiously, connected to the email is an archive made up of a Java Archive (JAR) file known as “TRUMP_Sex_SCANDAL_Online video.jar.”

    Lopera included new headlines bordering the election offered a good deal of address for destructive actors to carry out their ripoffs.

    “We suspect that the terrible men are attempting to ride the frenzy brought about by the a short while ago concluded presidential elections, because the filename they employed on the attachment is completely unrelated to the email’s concept,” Lopera stated.

    QRAT Variants

    This QRAT is notable simply because it has various variations from its predecessors, Lopera defined.

    “This threat has been considerably increased above the earlier handful of months given that we very first examined it,” Lopera claimed. “To reach the similar conclude goal, which is to infect the technique with a QNode RAT, the JAR file downloader characteristics and habits were enhanced.”

    This model of code is encrypted with foundation64 the modules are hidden with Allatori Obfuscator the target network details is retrieved right here from the company “hxxps://wtfismyip[.]com” and at last, the password recovery also supports Chrome, Firefox, Thunderbird and Outlook, the report defined.

    “The destructive code of this downloader is break up up among…numbered files, alongside with some junk details that have been included to them.” Lopera wrote.

    The most current .JAR variant also involves a rip-off Microsoft ISC license, which serves up a concept telling the user the .JAR file is becoming operate for distant penetration testing, the report stated.

    “Upon the execution of the file “TRUMP_Sexual intercourse_SCANDAL_Video.jar”, a duplicate of it is established and then executed from the %temp% folder,” Lopera explained. “Then, a GUI informing the victim that the destructive JAR file is a distant entry software used for penetration screening is released. The malicious behaviors of this sample get started to manifest as soon as the button ‘Ok, I know what I am doing’ is clicked,” Lopera said.

    A further distinction involving this model and prior identified .JAR files is a lacking string of code.

    “Third, the string “qnodejs” which beforehand identified the files affiliated with this danger, is not in this variant,” she noticed.

    Earlier variations of the .JAR file contained data about the QHub assistance subscription required to communicate with the C2 server, the report reported.

    “The information and facts about the QHub service subscription person we observed in the previously variant is no lengthier contained in the JAR file,” Lopera explained.

    ‘Amateurish’ Endeavor

    To protect techniques versus this latest QRAT variant, Lopera advises that email directors need to block .JAR files at security gateways.

    “While the attachment payload has some advancements more than preceding variations, the email campaign alone was relatively amateurish, and we consider that the prospect this danger will be sent correctly is larger if only the email was far more subtle,” Lopera wrote. “The spamming out of malicious JAR files, which often direct to RATs these types of as this, is quite popular.”

    Supply-Chain Security: A 10-Point Audit Webinar: Is your company’s application provide-chain organized for an attack? On Wed., Jan. 20 at 2p.m. ET, commence pinpointing weaknesses in your offer-chain with actionable guidance from industry experts – aspect of a limited-engagement and Stay Threatpost webinar. CISOs, AppDev and SysAdmin are invited to talk to a panel of A-checklist cybersecurity gurus how they can avoid remaining caught uncovered in a put up-SolarWinds-hack earth. Attendance is limited: Register Now and reserve a location for this exclusive Threatpost Supply-Chain Security webinar – Jan. 20, 2 p.m. ET.