As per Bleeping Computer report, the new Node.js based remote access trojan and password-stealing malware spreads via malicious emails. It pretends to be coming from the U.S. Department of the Treasury. And for that issue, a cybersecurity expert from Cerberus Sentinel offers perspective.
Cyber criminals are always quick to leverage current events in order to compromise their victims. In this case the lure is the promise of relief money from the government. This is an especially compelling and cruel ploy with many people suffering from severe economic uncertainty due to the COVID19 pandemic, but rest assured attackers will change tactics to exploit future events in the news. This malware campaign is interesting because the attackers used a server-side programming framework called node.js not typically seen used by end users. This could be to avoid detection by anti-malware software but it’s not clear if that was the primary motivation. So far the attackers have not installed ransomware on their victim’s computers which is usually the immediate tactic used by cybercriminals in order to extort money from their victims.
Organizations should make sure to update their anti-virus signatures to stop this attack as well as block access to the command and control (C2) server at: central[.]qhub[.]qua[.]one.