QNodeService stepped up its features while operated in widespread credential-theft campaigns

Since mid-year 2020, a new piece of malware emerged in the cyber threat landscape. It seems to be linked to the crimeware matrix due its main purpose and use, which is exfiltration of browsers and email services credentials against a fairly extensive range of potential targets. The group that operates this threat is currently unknown for us (internally tracked as RedMoon) but we know that it likely operates, at least for malware samples involving Italian assets, from a West Asia country and we noted it seems to be very focused on keeping their detection rates as low as possible. A variant of this threat was originally spotted by @malwrhunterteam on April 30, 2020 (https://twitter.com/malwrhunterteam/status/1255840193745215489) and firstly analyzed by industry on May 14, 2020 (https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/) which dubbed it QNodeService referring to the use of Node.js as execution engine of the malicious script that represents the core of the malware. Recently Telsy Threat Intelligence Division observed variants of this malware to be operated against entities and individuals located in European countries. Download the full PDF report below:

Check more related articles on our blog.