loader gif

Newly updated jRAT comes with tricks to evade parsing, detection and reverse-engineering

Newly updated jRAT comes with tricks to evade parsing, detection and reverse-engineering
  • The new version of jRAT was first spotted by Symantec in November 2017.
  • It sports various nefarious capabilities including keystroke logging, capturing screenshots, the ability to access webcam and file system to alter files and more.

Security researchers have spotted a new version of the cross-platform remote access Trojan - jRAT - that comes with a few more tricks to evade detection and analysis. According to researchers at Symantec, the jRAT version was first spotted in early November 2017 and features several techniques to evade parsing, detection and even prevent itself from being reverse-engineered.

Between March and April this year, researchers noticed its number swell by more than 300% from 333 to 1,071. However, they believe there could be a few reasons why there haven't been a significant number of hits for this jRAT version so far.

The Trojan could be particularly stealthy, difficult to detect and only leveraged in targeted attacks, researchers said. It may also not be widely adopted yet by attackers.

"While the volumes of these attacks are on the lower side, this jRAT has shown that it is quite capable and can go undetected with minimum presence and anti-parsing methods," Symantec researchers wrote in a blog post. "The malware mainly targets the financial sector, but we’ve also seen infections in the service, communications, hospitality, government, and energy sectors."

Modus Operandi

The new jRAT version is currently being spread via specially-crafted spam emails designed to entice victims into clicking through and opening the malicious attachment. The spam emails observed were designed around commonly used themes such as proof of payment, transfer error, invoices, wire instructions, transfer details conformation, credit advice and more.

The malicious email comes with a JAR file attachment with a surprise MZ header and two corrupt MX files prepended before the JAR file to thwart both MZ parsers and Java parsers.

"The MZ files cannot be parsed due to a broken PE structure; the files appear to be full MZ but apparently are used only for evading parsers," researchers explained. "This may be considered a defense layer to protect the JAR file from being reverse-engineered. Surprisingly, Java is still able to load and execute this JAR file as weaker zip parsing implementations rely on end of central directory record and parses the content to locate and execute main class."

Meanwhile, the wrapper JAR file drops another JAR file and copies it to a %Temp% location that can be extracted using AES decryption. This file runs every time Windows starts, connects to its command and control (C&C) server, and uses a WMIC interface to detect AV products installed on the infected system.

"The configuration file and key file are visible, but the former is AES-encrypted," researchers added.

Range of data-stealing capabilities

The new jRAT version sports several capabilities including keystroke logging, capturing screenshots, playing an audio message, the ability to access webcam and file system to access, alter, download and execute files.

It also be run on several platforms such as Windows, Linux, Android, FreeBSD, OpenBSD, OSX, and Solaris.

"With these capabilities, the malware can violate victims’ privacy and capture and exfiltrate confidential information from target organizations," researchers said.

loader gif