QNodeService
QNodeService is a backdoor Trojan comprised of corrupted JavaScript and supporting modules. QNodeService may collect passwords from your browsers or let attackers access your PC's files (such as deleting or opening them). Windows users should watch for potential Coronavirus-themed tactics and let anti-malware products remove QNodeService appropriately once they identify it.
JavaScript Problems Coming to Your Windows OS and Elsewhere Possibly
Collecting account credentials remains an incredibly pertinent metric for the success of Trojan campaigns, whether the threat actor's aim is riches, sabotage or espionage. A new backdoor Trojan with just these features baked-in is using the Coronavirus as its 'Trojan horse' theme, just like the SARS-CoV-2 Ransomware, the 'COVID-19.exe' Wiper, or the latest campaigns of the RATicate group. The QNodeService is also noteworthy for more reasons, courtesy of a format that's not the usual choice.
QNodeService's author uses JavaScript coding for most of the Trojan, including its persistent module, the first-stage Trojan downloader and the primary payload. Victims are falling for tactics involving fake tax relief links for the COVID-19 epidemic, which are convincing sufficiently for getting clicks that launch the loader. This early stage of the attack also identifies whether the OS is 32-bit or 64-bit, for delivering the appropriate branch of QNodeService.
The QNodeService Trojan remains system-persistent via a secondary JavaScript module and provides backdoor and data-collecting features. Of special mention is its default inclusion of password exfiltration for two browsers: Chrome and Firefox. Malware experts also suspect that QNodeService's use of JavaScript is a part of a currently-unrealized portability goal for making the Trojan compatible with macOS and various Unix-based operating systems.
A Sample of What Trojans Serve on Silver Platters
QNodeService's classification as a backdoor Trojan implies more than just a limited capacity for uploading collected data. Campaigns using the disease-themed Trojan offer the attackers on the other end various levers for exerting control, such as deleting files or launching them, downloading to the infected computer without a direct C&C connection, and offering general-purpose architectural information. Victims should terminate network connections with infected PCs as part of preventing attackers from causing any additional damage.
Users also should remember that current events form a significant part of the themes of ongoing Trojans' campaigns. The use of links providing guidelines, reports, or equipment related to the Coronavirus supposedly can propagate threats with purposes ranging from encrypting files to, like QNodeService, offering a backdoor into the computer. The Unusual e-mail messages are likely beginning points for these attacks, especially, whether they use links to arbitrary websites or attached files.
Anti-malware products should be in a fully-patched state for flagging and removing new threats as soon as possible. Uninstalling QNodeService through specialized security solutions and changing all compromised passwords, should resolve the majority of associated risks from the infection.
QNodeService turns global tragedy into an opportunity, with Coronavirus-named files cracking a wide-open door into any user's computer. Worldwide, everyone should remember the low-effort, everyday practices that can keep them safe, both concerning biology, and software.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.