QNodeService is a modular Node.js based information-stealing trojan delivered in a number of Covid-19 related campaigns.
QNodeService is distributed as a Java downloader disguised as a variety of documents pertaining to Covid-19 tax relief or business schemes. When opened, this downloader first installs the Node.js runtime before checking the system architecture and downloading the correct version of QNodeService. It will also download a second file that is used to maintain persistence.
Once installed, QNodeService will collect user and system information to send to a command and control server, at which point it awaits further commands. QNodeService is able to:
- create and delete Run key entries
- download and execute secondary payloads
- edit, delete, or transfer files
- extract user credentials from Chromium and Firefox web browsers