Cyber-attackers are disguising malware as a video file depicting a fake sex scandal involving United States President Donald Trump.
The email-based attack was discovered by cybersecurity researchers at Trustwave who were reviewing their spam traps.
Targets are sent an email with the attachment “TRUMP_SEX_SCANDAL_VIDEO.jar”. Those who click on the malicious Java Archive (JAR) file unwittingly install the Qnode Remote Access Trojan (RAT) onto their computer.
Unusually, the title of the malicious file bore no resemblance to the subject of the email to which it was attached.
When the researchers opened the email “GOOD LOAN OFFER!!,” they expected to discover nothing more than an investment scam. However, attached to the email was an archive containing the malicious JAR file.
"We suspect that the bad guys are attempting to ride the frenzy brought about by the recently concluded Presidential elections since the filename they used on the attachment is totally unrelated to the email’s theme," wrote researchers.
An investigation into the attack revealed that the JAR file is a variant of a QRAT downloader researchers brought to the public's attention in August. Similarities between the new and old variants include Allatori Obfuscator's being used to obfuscate the JAR file and the installer of Node.Js's being retrieved from the official website nodejs.org.
As is the case with the old variants, researchers found that the new downloader supports Windows platforms only.
Researchers noted that while the Trump sex scandal email campaign used to deliver the malware "was rather amateurish," the new QRAT was more sophisticated than prior variants.
"This threat has been significantly enhanced over the past few months since we first examined it. To achieve the same end goal, which is to infect the system with a QNode RAT, the JAR file downloader characteristics and behavior were improved," wrote researchers.
The attackers ditched the string “qnodejs,” which can distinguish the files related to this threat. And, to avoid detection, they split up the malicious code of the downloader into different buffers inside the JAR.
Researchers advised email administrators to "take a hard line" against inbound JARs and to use their email security gateways to block them.