Earlier we had blogged about how JAVA based jRAT malware were evolved in the recent times. At Quick Heal Security Labs, we are actively observing jRAT campaigns happening in the wild. These JAVA malware spread through phishing campaigns. While analyzing one such phishing campaign, we found that an International embassy in India was being targeted by phishers.
The malware used in the phishing campaign was the infamous JAVA malware called jRAT. Phishers sent phishing emails to the official email address of the targeted embassy.
This is how the phishing email looks like.
As shown in the figure above, a fake shipment notification by DHL is sent to the targeted email address. This is an example of a classic phishing email scam. The overall content of the email looks neat and attractive enough to trick the user into opening the attachment in order to know more about this shipment notification. The email attachment “ORIGINAL SHIPPING DOCUMENT.zip” is a ZIP archive file containing a “ORIGINAL SHIPPING DOCUMENT.jar” file. It’s unusual for a shipment notification to have “.jar” file as an attachment. Once the user double clicks on this jar file, the malware is executed. Nowadays, many applications require JAVA/JRE for their execution. So, the chances of having a JAVA/JRE installed on the end user systems are extremely high. This increases every possibility of the execution of the Java-based malware on the targeted system.
Quick Heal detection
This particular phishing attempt carried out on the targeted embassy was successfully blocked by Quick Heal products with its JAVA detection “JAR.Suspicious.A”.
A typical infection chain found in this JRAT phishing campaign is as follows.
As depicted in fig 2, upon execution of the ‘Parent JAR’ malware, it drops 2 VB script files and jRAT malware at ‘%Temp%’ location which are embedded in it. These VB scripts are responsible for identifying different antivirus products as well as firewall products installed on a system. It also checks for ‘Win32_PnpSignedDriver’ pipe which is required to identify a virtual environment. And if this pipe is found to be open, then the malware will stop its activity.
Below are the images of VBS files.
The dropped JRAT file is connected to a CNC domain ‘vvrhhhnaijyj6s2m.onion[.]top‘. This CNC domain is hosted on 126.96.36.199. The reputation of this domain and the IP is malicious according to online scanners. The communication happens over an SSL channel.
At the time of our analysis, the CNC server did not respond with the final payload. Generally, we have observed infostelaer malware being delivered in ongoing jRAT campaigns.
Although phishing is an old technique to spread malware, it is still one of the simple and most effective techniques used by phishers. Using this simple technique of malware distribution, phishers are going after high profile targets such as the internal embassy in this case. We advise our users to stay protected by keeping their antivirus up-to-date with the latest security updates.
Here’s an infographic that explains phishing. And below are some useful tips to stay away from phishing attacks.
Indicators of compromise
DHL Shipment Notification: 85482550044
ORIGINAL SHIPPING DOCUMENT.zip
ORIGINAL SHIPPING DOCUMENT.jar
Subject Matter Experts
Pradeep Kulkarni, Prashant Kadam | Quick Heal Security Labs