Skip to main content

QNodeService Trojan

First observed in May 2020, QNodeService is a modular Node.js based information-stealing trojan delivered in a number of Covid-19 related campaigns.

Threat ID:
CC-3469
Category:
Threat Severity:
Medium
Threat Vector:
Published:
21 May 2020 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

First observed in May 2020, QNodeService is a modular Node.js based information-stealing trojan delivered in a number of Covid-19 related campaigns.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

  • Microsoft Windows - All versions

Threat details

QNodeService is distributed as a Java downloader disguised as a variety of documents pertaining to Covid-19 tax relief or business schemes, When opened, this downloader first installs the Node.js runtime before checking the system architecture and downloading the correct version of QNodeService. It will also download a second file that is used to maintain persistence.

Once installed, QNodeService will collect user and system information to send to a command and control server, at which point it awaits further commands. QNodeService is able to:

  • create and delete Run key entries
  • download and execute secondary payloads
  • edit, delete, or transfer files
  • extract user credentials from Chromium and Firefox web browsers

Remediation steps

Type Step

To prevent and detect a trojan infection, NHS Digital advises that:

  • Secure configurations are applied to all devices.
  • Security updates are applied at the earliest opportunity.
  • Tamper protection settings in security products are enabled where available.
  • Obsolete platforms are segregated from the rest of the network.
  • IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
  • Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
  • Administrative accounts are only used for necessary purposes.
  • Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.
  • Systems are continuously monitored, and unusual activity is investigated, so that a compromise of the network can be detected as early as possible.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

URLs

  • central.qhub.qua[.]one

Filenames

  • qnodejs-win32-ia32.js
  • qnodejs-win32-x64.js
  • wizard.js

SHA256 File Hashes

  • 16376D225C3B16E6E0D50259241939DE6AD19A82668F650AACDAF173576C5003
  • 5210AFA4567B98FB3F8AEE513206B5FD466D3AFE01DD576A2BEE4A623F2CDAE2
  • 5CCED1119F4FDC175967594EC4671EF74E645D46F5F7ED1200513C7EA7DC31CF
  • 76B8E43AB3E38B8635588FBD9C9A527022691962DD158A480671DDF98C7110F8
  • 9FBAFF43A596921EFD7BB3B015A541A00633320C3DE66BE795BADA098D37F8FE
  • EB00CD731EE622EAF53BFD19A789E494872BACA156455C38CA3035B2E33CC152
  • F3C5F8EF9886DC300BCE3E6DB0B973B3408AE82EB5789C4BA72FEC27D61CA693

Last edited: 29 June 2021 12:01 pm