In recently observed attacks, the jRAT backdoor was using crypter services hosted on the dark web to evade detection, Trustwave security researchers have discovered.
Also known as Adwind, AlienSpy, Frutas, Unrecom, and Sockrat, the jRAT malware is a Windows-based Remote Access Trojan (RAT) discovered several years ago that has already infected nearly half a million users between 2013 and 2016. The threat has been hitting organizations all around the world and was recently spotted as part of an ongoing campaign.
jRAT allows its operators to control it remotely to achieve complete control of the infected system. With the help of this backdoor, attackers can capture keystrokes, exfiltrate credentials, take screenshots, and access the computer’s webcam, in addition to executing binaries on the victim’s system.
“It is highly configurable to whatever the attacker’s motive may be. jRAT has been commercially available to the public as a RAT-as-a-service business model for as little as $20 for a one-month use,” Trustwave notes.
Starting early this year, Trustwave security researchers observed a spike in spam messages delivering the malware and also noticed that security reports tend to misclassify the Java-based RAT due to the use of said crypter service.
The malware was being distributed through malicious emails carrying either an attachment or a link. The emails would pose as invoices, quotation requests, remittance notices, shipment notifications, and payment notices.
The recently analyzed samples, the researchers say, revealed that the same tool or service was used to obfuscate all of them. Furthermore, all of them attempted to download a JAR file from a Tor domain that turned out to be a service hosted by QUAverse.
QUAverse (QUA) is linked to QRAT, a RAT-as-a-service platform developed in 2015 which is seen as one of jRAT’s competitors. The presence of these artifacts were able to set investigators on the wrong path, but the de-obfuscated and decrypted samples were found to be indeed jRAT samples.
What Trustwave discovered was that jRAT uses a service from QUAverse called Qrypter. This is a Crypter-as-a-Service platform that makes Java JAR applications fully undetectable by morphing variants of the same file. For a certain fee, the service morphs a client’s JAR file periodically to avoid being detected by antivirus products.
“We believe that the service monitors multiple AV products pro-actively and once it determines that the malware variant is being detected, it then re-encrypts the file thus producing a new mutant variant that is undetectable for a certain time period,” Trustwave notes.
When executed, jRAT downloads a new, undetectable copy of itself from the service and drops it on the infected machine’s %temp% directory. The malware then executes and installs the newly crypted jar file.
By using the Qrypter service, the backdoor leverages a third-party crypter feature that should allow it to become fully undetectable, the security researchers point out.
“While jRAT actors have been actively spamming malicious JAR files for several months, one of the hurdles in infecting their target is how easily they are being detected. Perhaps using the Qrypter service makes it easier for them to evade email gateways and antivirus engines,” Trustwave notes.