A new malware strain is reportedly delivering its payload using fake United States Department of Treasury emails.
The malware is a new Node.js trojan that is capable of stealing user passwords and credentials. The group behind the malware is using fake Treasury emails to deliver the malware to its targets.
Cybersecurity experts from Abuse.ch are the first to point out this new attack. The group claims that the operation uses a spam campaign to send the emails. These fake emails inform the target that payment from the government did push through due to incorrect banking information.
Malware delivery system
As cybersecurity protocols improve, so does the techniques that hackers use. While malwares are getting sophisticated by the day, the delivery system remains relatively the same.
The malware utilizes spam email delivery. The malware also takes advantage of social engineering mechanisms to fool its target into launching the payload.
The email is also simple. It tells the target that there are a number of mistakes on a particular government document. Once the target opens the email, the malware launches its payload.
Part of the email reads:
“However, there is no indication that the said approved fund was finally paid to you as the beneficiary, or did you at any point changed ownership or receiving bank accounts of the approved fund?”
The email contains two attachments, a .zip, and .jar file. It is a Node.js malware known as QnodeService. The team from MalwareHunterTeam first discover this new strain of malicious code.
Once the malware executes, the .jar file downloads a script and store the packages inside the targets machine. The malware executes its payload every time the target logs into Windows.
Capabilities and counters
Once it propagates into the system, the malware can update itself. Moreover, it can also scrape the target’s IP address, login credentials, location, and OS version. It can remotely execute commands, delete files, and steal passwords.
Cybersecurity experts advise that once the malware manifests, users should assume that data and passwords are stolen. An immediate password update is necessary at this point.
???? – #Tokopedia hacked – Login details of 91 million users sold on #DarkWeb ⚠️
Read: https://t.co/W1MRXKPTey#Security #Hacking #Indonesia #CyberAttack #CyberSecurity
— HackRead.com (@HackRead) May 2, 2020
Network protocols are also prone to attack. Which is why network administrators should perform the necessary audits of their systems. Anti-virus software is also a great tool to perform cleanup of infected systems.
This type of attack is no longer new. For many years, cybersecurity experts keep track of these malware strains. In such cases, prevention is also better than cure.
Image courtesy of Song_about_summer/Shutterstock