Trump-Themed Phishing Campaign Spread TrojanResearchers: Link Portrayed as Trump Video Loaded QRat Trojan
A recently spotted phishing campaign used the offer of a President Donald Trump video as a lure to spread the QRat Trojan that can steal passwords, take screenshots and enable attackers to take over a compromised Windows devices, according to the security firm Trustwave SpiderLabs.
Although the phishing emails spotted last month featured loan offers and a subject line about a “good return on investment,” they also contained an attached file claiming to offer a video of Trump. This file hid the QRat malware, according to the report.
QRat, which is also known as Quaverse RAT, was first spotted by researchers in May 2015. It can remain undetected because of multiple layers of obfuscation. The malware offers many functions, including the ability to steal passwords, act as a keylogger, take screenshots and browse files, according to previous reports.
The supposed video in the phishing campaign was a Java Archive file that hid the QRat malware, which installed on a device if the victim attempted to open the video link, the report notes. The Trojan only targets Windows-based devices.
The JAR file displayed a graphical user interface and informed the recipient that the malicious file is attempting to install a penetration test, according to the report.
"The malicious behaviors of this sample start to manifest once the button 'Ok, I know what I am doing' is clicked," the Trustwave report notes. "This pop-up is a little odd and is perhaps an attempt to make the application look legitimate or deflect responsibility from the original software authors."
The report notes that the QRat malware deploys several layers of obfuscation to help hide its activity when it is installing on a Windows device and avoid detection by security tools.
Diana Lopera, a senior security researcher at Trustwave, notes that while the phishing emails appear amateurish, these types of attacks can still prove effective if the victim is not paying attention.
"The spamming out of malicious JAR files, which often lead to [remote access Trojans] such as this, is quite common," Lopera notes in the report. "Email administrators should be looking to take a hard line against inbound JARs and block them in their email security gateways."
Hackers have been increasingly using Trojanized applications coupled with phishing email lures to spread a variety of malware.
For example, security firm Intezer recently found that hackers are using Trojanized applications and fake social media accounts to steal cryptocurrency from victims (see: ElectroRAT Malware Targets Cryptocurrency Wallets).
In December, a report by security firm Cybereason found that attackers were using fake Amazon gift cards that deliver the Dridex banking Trojan to target online shoppers in the U.S. and Western Europe (see: Fake Amazon Gift Cards Deliver Dridex Trojan).
In November, Malwarebytes reported that fraudsters were using the U.S. presidential election as a theme to send out spam messages that are designed to infect victims' devices with malware, including Trojans (see: US Election Interference-Themed Spam Spreads Banking Trojan).