The Story of Manuel’s Java RAT.

Security experts from Cybaze-Yoroi ZLab investigated two malicious spam campaigns delivering Java RAT that show some similarities.

Introduction

During the last weeks, the Cybaze-Yoroi ZLab researchers identified infection attempts aimed to install RAT malware directed to the naval industry sector. The malicious email messages contained a particular Adwind/JRat variant delivered via several methods tailored to lure the target company. 

In the recent past, similar attack cases hit this industry, such as the MartyMCFly case, where the attackers weaponized their emails with QasarRAT payloads. Instead, in this case, Cybaze-Yoroi ZLab detected the usage of multiplatform Java malware.

Technical analysis

A preliminary analysis of the two malicious email waves shows no common strict indicators: the smtp infrastructure detected on the 16th and 17th is different from the 21tst one, the attachment type didn’t match, in fact, the first ones contained .jar attachments, the second ones ZIP archives and JS scripts, and the email theme was different too.

In detail, the first email wave has been prepared to simulate a purchase order, trying to impersonate administrative personnel of an italian company operating in the Hydraulic and Lifting sectors,  “Difast Srl”. These messages were written in Italian.

The second email wave, instead, was not Italian speaking anymore. This time the attacker were trying to impersonate a German logistic company, “Dederich Spedition”, simulating another kind of purchase order communication.

However, we figured out these two email waves were linked to the same attacker.

Dissecting the Stage1

The following attachments have been analyzed by Cybaze-Yoroi Zlab team:

The first two malware samples were attached to the suspicious emails sent since 16th January. The last was embedded into the 21st January emails. 

Analyzing in detail the first two JAR archives, it’s possible to see the source code is the same, except for name of the declared classes. Thus, the analysis are conducted only on one of them. 

Differently from other ones, the JS file has a different structure how visible in the following figure.

Despite the different structures of code and programming languages, all the dropper samples have the same encoded payload strings.

The string labeled with the variable name “duvet” hides another layer of code. The obfuscation method is quite easy: just replace the “#@>” character with “m”, and convert all from base64. The results of decryption is visible in the following figure:

In the previous code snippet, a malware routine checks the existence of the Java environment on the victim machine: if it is not installed it downloads the JRE environment from an external location, a potentially compromised third party website  “hxxp://www[.thegoldfingerinc[.]com/images/jre.zip”.

After downloading the JRE archive, the malware installs it on the victim machine. At this point, the malware triggers the persistence mechanism and sets the typical “CurrentVersion\Run” registry key.

After many deobfuscation rounds of the nested base64 strings recovered, the final results is:

The “longText” variable hides the final payload: another .jar file. Instead, decoding the variable “longText1”, we retrieved the following code snippet:

This code, able to create a localhost listener or a sort of proxy on port 7755, is actually unused by the other part of the RAT malware.

Converging to the Java RAT Payload

As anticipated before, the “longText” variable encodes a JAR executable containing the infamous, multi-platform (Win/macOS), Adwind/JRat malware: a Remote Access Tool well known to the InfoSec community.

The structure of the code seen in the above figure, indicates the fact that it is the canonical Adwind/JRat malware, containing the “JRat.io” false flag.

Finally, we extrapolated the configuration of the RAT payload, the JSON object reported in the following snippet.

1. {
2. “NETWORK”:[
3. {
4. “PORT”:9888,
5. “DNS”:”185.244.30.93″
6. }
7. ],
8. “INSTALL”:true,
9. “MODULE_PATH”:”KXA/Gzd/Sb.Po”,
10. “PLUGIN_FOLDER”:”vuVCbHOEGdl”,
11. “JRE_FOLDER”:”bvDMbv”,
12. “JAR_FOLDER”:”oJYFGyiYDKG”,
13. “JAR_EXTENSION”:”gHPrve”,
14. “ENCRYPT_KEY”:”PqKOsNWuSwYdlCTuCJPnAGXoL”,
15. “DELAY_INSTALL”:2,
16. “NICKNAME”:”MANUEL1986″,
17. “VMWARE”:false,
18. “PLUGIN_EXTENSION”:”xSgaW”,
19. “WEBSITE_PROJECT”:”https://jrat.io”,
20. “JAR_NAME”:”GErbOAiLUBf”,
21. “JAR_REGISTRY”:”NVxqGXNfpjm”,
22. “DELAY_CONNECT”:2,
23. “VBOX”:false
24. }

The remote destination address 185.244.30.93, belonging to “Stajazk VPN” services,  hosts the control server reachable on port tcp/9888. Also, the configuration reveal the  nickname field containing the string “MANUEL1986”. 

The usage of the VPN service hides the real location of the attacker, however, the specific IP isn’t new to the threat intel community, it has been abused since october 2018. Particularly interesting is the presence of the No-IP domain “manuel.hopto.org”: this domain also resolved Nigerian IP addresses of the 37076-EMTS-NIGERIA-AS, and and the Italian AS1267 back in 2012-2014.

Conclusions

The analyzed case shows how threat actors may quickly vary attack techniques and artifact characteristics, trying to masquerade their intent by making harder to track their attempts. Proving the investigation capabilities of a threat research team are fundamental into a modern cyber security paradigm.

The specific attack waves are not likely related to the MartyMcFly campaign discovered a few months.

Further details, including IoCs and Yara Rules, are reported in the analysis published on the Yoroi blog.

Pierluigi Paganini

(SecurityAffairs – Java RAT, malware)

[adrotate banner=”5″] [adrotate banner=”13″]