By Matthew Stewart
We recently noticed a Twitter post by MalwareHunterTeam that showed a Java downloader with a low detection rate. Its name, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, suggests it may have been used in a Covid-19-themed phishing campaign. Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.
The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software.
The malware has functionality that enables it to download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows systems, but its design and certain pieces of code suggest cross-platform compatibility may be a future goal.
The infection begins with a Java downloader which, in addition to downloading Node.js, downloads the following files: “wizard.js”, and “qnodejs-win32-ia32.js” or “qnodejs-win32-x64.js”. We analyzed these components to learn more about their behavior.
Analysis of Java Downloader
The sample mentioned above, “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar”, serving as the Java downloader, has been obfuscated with the Allatori obfuscator. Allatori adds junk code and obfuscates strings to make analysis more difficult. We deobfuscated the code to be able to start the analysis.
It downloads Node.js to the User Profile directory. It checks the system architecture and downloads the 32-bit or 64-bit version appropriately.
It also downloads a file named “wizard.js” from the URL hxxps://central.qhub.qua.one/scripts/wizard.js. It then runs this file using Node.js with multiple command line arguments, including the URL of the C&C server:
Note that “–group user:476@qhub-subscription[…]” is a parameter used during communication with the C&C server; the presence of a user identifier and mention of a “subscription” suggest that this malware may be sold as a subscription service.
Analysis of wizard.js
It creates a file named “qnodejs-<8 digit hex number>.cmd” which contains the arguments used to launch the file. This is invoked by the registry key entry it creates at “HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”. It also checks whether it’s running on a Windows platform, suggesting the authors may have cross-platform compatibility in mind.
Figure 6. The registry “Run” key entry added by wizard.js
It downloads a file from hxxps://central.qhub.qua.one/scripts/qnodejs-<platform>-<arch>.js. Based on possible values for process.platform and process.arch in Node.js, we found files qnodejs-win32-ia32.js and qnodejs-win32-x64.js hosted on the server. The server also contains SHA1 hashes for each sample, although they are named .sha256. These hashes are downloaded and checked by the downloaded sample when it runs.
Analysis of qnodejs-win32-<architecture>.js
A file named qnodejs-win32-ia32.js or qnodejs-win32-x64.js is downloaded based on the system architecture (whether the OS is 64-bit or 32-bit).
We named this malware “QNodeService,” since this seems to be the name used internally, as indicated by the code that validates command line arguments.
The malware is divided into modules. Access to these modules is obfuscated with the use of a lookup function named “v”. Some modules consist solely of a “require” call to import libraries, while others are custom modules written by the author.
Certain modules in this file are identical to wizard.js; in particular, these reuse the code that determines the URL for the sample and its hash. In this file, the module is used to download and verify the SHA1 hash. If the hash fails, the malware terminates.
The malware uses the socket.io library for communication with the C&C server. As a result, it is designed with a reactive programming paradigm, and uses WebSocket to communicate with the server.
The malware can steal passwords from Chrome and Firefox.
Below is a list of commands accepted by the malware:
|control/reload||Signals wizard.js to redownload the main payload.|
|control/uninstall||Signals wizard.js to remove the Run key entry from the system and terminate.|
|info/get-ip-address||Gets IP address, location, hostname, etc.|
|info/get-label||Returns label set by the “set-label” command|
|info/get-machine-uuid||Gets a UUID generated by the malware.|
|info/get-os-name||Gets the platform (windows) and architecture (x32/x64) of the system.|
|info/get-user-home||Gets the user profile directory (os.homedir())|
|file-manager/absolute||Gets the full path of a file|
|file-manager/execute||Executes a file with the command ‘start “” /B <file>’|
|file-manager/delete||Removes a file or files on the system (accepts globs, using “rimraf” library)|
|file-manager/forward-access||Generates URL and token to use for the “http-forward” command (see below)|
|file-manager/list||Lists files in specific directories|
|file-manager/mkdirs||Creates a directory on the system|
|file-manager/write||Writes a file sent from the C&C SERVER onto the system|
|http-forward||HTTP requests sent to a specific URL at the C&C are routed to the infected machine (see below)|
|password-recovery/applications||Lists applications for which passwords can be read (Chrome & Firefox)|
|password-recovery/recover||Recovers passwords from a specific application (Chrome or Firefox)|
On May 5th, the malware was updated with three additional commands:
|info/get-tags||Returns list of tags set by “add-tag” command|
Of particular note is the http-forward command, which allows an attacker to download a file without directly connecting to the victim machine, as shown below in figures 13-16. However, a valid request path and access token are required to access files on the machine. The C&C server must first send “file-manager/forward-access” to generate the URL and access token to use for the http-forward command later.
The malware responds with the forwarding URL and access token. Then, a third party who has been given the URL and access token could send an HTTP request to the C&C server to retrieve files from the victim machine without directly connecting to it.
The C&C server forwards the HTTP request to the malware on the victim machine using the http-forward command. If the access token is correct, the malware sends the file’s contents back to the C&C server, which in turn sends the contents back to the attacker in its HTTP response, enabling remote download.
Similar to wizard.js, the authors seem to have cross-platform compatibility in mind. Although this sample is the win32-ia32 variant, it contains code that would improve compatibility on Darwin (MacOS) and Linux platforms.
Threat actors constantly come up with ingenious ways to create malware and ensure that it affects as many systems for as long as it can, such as using environments that are less utilized for malware creation, maintaining persistence, and giving them cross-platform compatibility. To defend against such malware, users can block them from getting through possible entry points, such as email, endpoints, and network, through the following security solutions:
- For email – Trend Micro™ Email Security offers AI-based detection and sandboxing capabilities to detect and block malware and malicious URLs
- For endpoints – Trend Micro Apex One provides pre-execution and runtime machine learning and automated threat detection
- For networks – Trend Micro TippingPoint Threat Protection System inspects and blocks network traffic in realtime to stop the infiltration of threats
Indicators of Compromise
|File Name||SHA-256||Detection Name|