{"id":84515,"date":"2017-07-17T12:11:56","date_gmt":"2017-07-17T06:41:56","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=84515"},"modified":"2017-07-17T12:17:34","modified_gmt":"2017-07-17T06:47:34","slug":"technical-analysis-java-rat-remote-access-trojan-malware-2","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/technical-analysis-java-rat-remote-access-trojan-malware-2\/","title":{"rendered":"A technical analysis of the Java RAT (Remote Access Trojan) Malware"},"content":{"rendered":"

Remote Access Trojans are programs that allow attackers to gain unauthorized access to a targeted computer without the victim\u2019s knowledge. Java RAT malware is a Trojan-Dropper written in Java. It is designed to steal passwords, access files, for keylogging (recording what the user types on the keyboard) and for screen-capture. Information collected by a RAT is forwarded to a remote server controlled by the attacker.<\/p>\n

Distribution Method<\/strong>
\nA Java RAT malware arrives via spam emails that contain malicious attachments (fig 1).<\/p>\n

\"java-rat1\"
Fig 1<\/figcaption><\/figure>\n

How Java RAT gets into a system<\/strong><\/p>\n

Once a JAR file is executed, it drops a copy of itself onto the below path with the name \u2018LyOCtxhwRyz.yrDUql\u2019<\/p>\n

Path: %userprofile%\\ YzQqKjGoxHz(Hidden Folder)<\/p>\n

For example,\u00a0 C:\\Users\\Public\\YzQqKjGoxHz<\/p>\n

\"Fig
Fig 2<\/figcaption><\/figure>\n

The malware drops the following files:<\/strong><\/p>\n

C:\\Users\\Public\\YzQqKjGoxHz\\ID.txt<\/p>\n

C:\\Users\\Public\\AppData\\Local\\Temp\\OlfYXmVqfL9024669788070560515.reg<\/p>\n

%temp%\\Retrive2638932198378221530.vbs<\/p>\n

%temp%\/\\ _0.354484486304158635925511204328476438.class<\/p>\n

%Application Data%\\Oracle\\ (Contains copy of files from java installation folder)<\/p>\n

It creates the following folders:<\/strong><\/p>\n

C:\\Users\\Public\\YzQqKjGoxHz (Contains copy of actual malware i.e JAR file)<\/p>\n

C:\\Users\\Public\\fUTkALeaTxM<\/p>\n

The below registry entry dropped by the malware is used to launch itself every time the system boots and download the executable file to infect the system.<\/p>\n

\"Fig
Fig 3<\/figcaption><\/figure>\n

The malware adds the below registry entries to disable security solutions and different analysis tools.<\/p>\n

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\procexp.exe]<\/p>\n

“debugger”=”svchost.exe”<\/p>\n

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\wireshark.exe]<\/p>\n

“debugger”=”svchost.exe”<\/p>\n

[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\SCANNER.EXE]<\/p>\n

“debugger”=”svchost.exe”<\/p>\n

Quick Heal Detection<\/strong><\/p>\n

Quick Heal real-time protection detects the JAR file and its component as \u2018Trojan.JAVA.Agent.JRAT\u2019 and \u2018Trojan.JAVA.Agent.JJ\u2019<\/p>\n

\"Fig
Fig 4<\/figcaption><\/figure>\n

Security measures to stay away from Java RAT <\/strong><\/p>\n

    \n
  1. Do not click on links or download attachments that arrive in emails from unwanted or unexpected sources.<\/li>\n
  2. Apply recommended security updates for your computer\u2019s Operating System and all other programs such as Adobe, Java, Internet browsers, etc.<\/li>\n
  3. Use an antivirus software that gives layers of protection against infected emails and malicious websites. Keep the software up-to-date.<\/li>\n
  4. Take regular backups of your important data.<\/li>\n
  5. Free software, especially those with unverified publishers are usually used by attackers to spread malware. Always go for genuine and licensed software.<\/li>\n<\/ol>\n

     <\/p>\n

    ACKNOWLEDGMENT
    \n<\/strong>Subject Matter Expert<\/p>\n

      \n
    • Anita Ladkat | Quick Heal Security Labs<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"

      Remote Access Trojans are programs that allow attackers to gain unauthorized access to a targeted computer without the victim\u2019s knowledge. Java RAT malware is a Trojan-Dropper written in Java. It is designed to steal passwords, access files, for keylogging (recording what the user types on the keyboard) and for screen-capture. Information collected by a RAT […]<\/p>\n","protected":false},"author":29,"featured_media":84512,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,5],"tags":[1478,1477],"class_list":["post-84515","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","category-security","tag-java-rat-malware","tag-remote-access-trojan"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84515"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/29"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=84515"}],"version-history":[{"count":3,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84515\/revisions"}],"predecessor-version":[{"id":84518,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/84515\/revisions\/84518"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84512"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=84515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=84515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=84515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}