Technical analysis by the Malware Hunter JAMESWT

New global QNodeService campaign via fake DHL invoices

QNodeService is hiding inside a fake DHL invoice, as part of a global cybercrime malspam campaign. The message contains a compressed attachment in jar format. This, when opened, works as a Java downloader to download the malware. QNodeService is a trojan capable of stealing credentials, loading other payloads into the computer and performing further operations. It mostly targets Windows systems, but may hit even more in the future.

The fake DHL email

DNS HTTP/HTTPS requests / Connection