This new, unusual Trojan promises victims COVID-19 tax relief


Level 37
Thread author
Top poster
Feb 4, 2016
QNodeService’s codebase may have helped it avoid detection by traditional antivirus solutions.

A new Trojan malware sample has appeared on the radar of cybersecurity researchers following evidence it may be being used in coronavirus-related phishing schemes.
First noticed by MalwareHunterTeam, the Trojan sample was connected to a file, "Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar," and was only detected at first by ESET's antivirus engine.

Dubbed QNodeService, the Trojan lands on systems through a Java downloader embedded in the .jar file, Trend Micro researchers said on Thursday.
The malware is unusual as it is written in Node.js, a language primarily reserved for web server development.

"However, the use of an uncommon platform may have helped evade detection by antivirus software," the team notes.
The Java downloader, obfuscated via Allatori in the lure document, grabs the Node.js malware file -- either "qnodejs-win32-ia32.js" or "qnodejs-win32-x64.js" -- alongside a file called "wizard.js."