New email malspam campaign pretends to offer a rather odd payload

Email warning
(Image credit: Shutterstock)

Although the US 2020 election may be over, cybercriminals are still using it as a lure to infect victims with malware and other viruses.

Security researchers at Trustwave have discovered a new malspam campaign that first caught their attention due to the fact that the attachments used don't coincide with the theme of the email body. Upon further investigation though, they found that the attachment is a variant of the QRAT downloader.

The emails used in the campaign have the subject line “GOOD LOAN OFFER!!” which make them appear as just another investment scam at first. However, attached to these emails is an archive containing a Java Archive (JAR) file named “TRUMP_SEX_SCANDAL_VIDEO.jar”.

Trustwave believes that the cybercriminals behind the campaign are trying to capitalize on the controversy surrounding the recent US presidential election as the filename of the attachment is completely unrelated to the email's theme.

QRAT downloader

The JAR file attached to these emails has the same purpose as other Node.js QRAT downloaders Trustwave has observed in the past, to install the Qnode RAT on a victim's system.

The downloader still only affects Windows systems and the JAR file itself is obfuscated using the Allatori Obfuscator. The sample analyzed by Trustwave researchers is larger than previous samples but the malicious code included in the downloader is still split up among multiple data streams with just numbers in the filename.

Once a victim opens the JAR file attached to the email, a pop-up appears informing them the file is a “remote access software and is mainly used for penetration testing”. If a user clicks on the button that says “Ok, I know what I am doing”, the JAR file begins its malicious behavior on a users' system.

Senior security researcher at Trustwave Diana Lopera provided further insight on this latest version of the QRAT downloader in a new report, saying:

“While the attachment payload has some improvements over previous versions, the email campaign itself was rather amateurish, and we believe that the chance this threat will be delivered successfully is higher if only the email was more sophisticated. The spamming out of malicious JAR files, which often lead to RATs such as this, is quite common.”

To avoid falling victim to this and other similar scams, it is highly recommended that you avoid downloading and opening any files attached to emails from unknown senders.

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.