{"id":85501,"date":"2018-01-16T10:39:15","date_gmt":"2018-01-16T05:09:15","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=85501"},"modified":"2018-01-30T12:33:03","modified_gmt":"2018-01-30T07:03:03","slug":"quick-heal-thwarts-attempts-java-jrat-phishing-campaign-targeting-international-embassy-india","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/quick-heal-thwarts-attempts-java-jrat-phishing-campaign-targeting-international-embassy-india\/","title":{"rendered":"Quick Heal thwarts attempts of a JAVA jRAT phishing campaign targeting an international embassy in India"},"content":{"rendered":"

Earlier\u00a0we had blogged\u00a0about how JAVA based jRAT<\/a>\u00a0malware were evolved in\u00a0the\u00a0recent times. At Quick Heal Security Labs, we are actively observing jRAT campaigns happening\u00a0in the wild. These JAVA malware\u00a0spread through phishing campaigns. While analyzing one such phishing campaign, we found that\u00a0an\u00a0International embassy in India\u00a0was\u00a0being\u00a0targeted\u00a0by\u00a0phishers.<\/p>\n

The malware used\u00a0in\u00a0the\u00a0phishing\u00a0campaign\u00a0was\u00a0the\u00a0infamous JAVA malware called jRAT.\u00a0 Phishers sent phishing emails\u00a0to\u00a0the official\u00a0email address of\u00a0the targeted embassy.<\/p>\n

This is how\u00a0the phishing email\u00a0looks like.<\/p>\n

\"Fig
Fig 1. Phishing email sent to the targeted embassy <\/strong><\/figcaption><\/figure>\n

As shown in the figure above, a fake shipment notification by\u00a0DHL is sent to\u00a0the targeted email address. This\u00a0is an example of a classic\u00a0phishing email\u00a0scam.\u00a0The overall content of the email looks neat and attractive\u00a0enough to trick the user into\u00a0opening\u00a0the attachment in order to know more about this shipment notification. The email attachment “ORIGINAL SHIPPING\u00a0<\/i>DOCUMENT.zip<\/i>”\u00a0is a ZIP archive file containing\u00a0a\u00a0“ORIGINAL SHIPPING DOCUMENT.jar<\/i>” file.\u00a0It\u2019s unusual\u00a0for\u00a0a shipment notification to have “.jar<\/a>” file as an\u00a0attachment. Once the user double clicks on this jar file,\u00a0the malware is executed. Nowadays,\u00a0many applications require\u00a0JAVA\/JRE for their execution. So,\u00a0the chances of having\u00a0a\u00a0JAVA\/JRE installed on\u00a0the\u00a0end user systems are\u00a0extremely\u00a0high. This increases every possibility of the execution of\u00a0the Java-based malware on\u00a0the targeted system.<\/p>\n

Quick Heal detection<\/b><\/p>\n

This particular phishing attempt\u00a0carried out on the targeted embassy was successfully blocked by Quick Heal products with its JAVA detection “JAR.Suspicious.A”.<\/p>\n

Infection Chain<\/b><\/p>\n

A\u00a0typical infection chain found\u00a0in\u00a0this\u00a0JRAT phishing campaign\u00a0is as follows.<\/p>\n

\"Fig
Fig 2. Infection Chain – jRAT phishing campaign<\/strong><\/figcaption><\/figure>\n

Technical details<\/b><\/p>\n

As depicted in\u00a0fig 2, upon execution of\u00a0the\u00a0‘Parent JAR’ malware,\u00a0it drops 2 VB script files and jRAT malware at ‘%Temp%’ location which are embedded\u00a0in\u00a0it. These VB scripts are responsible for identifying different antivirus products as well as firewall products installed\u00a0on a\u00a0system. It also checks for ‘Win32_PnpSignedDriver’ pipe which is required\u00a0to identify\u00a0a virtual environment. And if this pipe\u00a0is\u00a0found to be open,\u00a0then\u00a0the malware\u00a0will stop its activity.<\/p>\n

Below are the images of VBS files.<\/p>\n

\"Fig
Fig 3. VBS file to identify installed antivirus products.<\/strong><\/figcaption><\/figure>\n

 <\/p>\n

\"Fig
Fig 4. VBS file to identify installed firewall products.<\/strong><\/figcaption><\/figure>\n

The dropped JRAT file\u00a0<\/span><\/span>is\u00a0<\/span><\/span>connected to\u00a0<\/span><\/span>a\u00a0<\/span><\/span>CNC domain ‘<\/span><\/span>vvrhhhnaijyj6s2m.onion[.]top<\/span><\/span>‘.\u00a0<\/span><\/span>This CNC domain is hosted on 46.246.120.179.<\/span><\/span>\u00a0<\/span><\/span>The reputation of\u00a0<\/span><\/span>this\u00a0<\/span><\/span>domain and\u00a0<\/span><\/span>the IP is malicious according to\u00a0<\/span><\/span>online scanners. The communication happens over\u00a0<\/span><\/span>an\u00a0<\/span><\/span>SSL channel.\u00a0<\/span><\/span>\u00a0<\/span><\/p>\n

\"Fig
Fig 5. Connection with a CNC domain<\/strong><\/figcaption><\/figure>\n

 <\/p>\n

\"Fig
Fig 6. Decoded SSL certificate.<\/strong><\/figcaption><\/figure>\n

At the time of\u00a0our\u00a0analysis,\u00a0the CNC server did not respond with\u00a0the\u00a0final payload. Generally,\u00a0we have observed\u00a0infostelaer malware being delivered in ongoing jRAT campaigns.<\/p>\n

Although phishing\u00a0is an\u00a0old technique to spread malware,\u00a0it is\u00a0still one of the simple and\u00a0most\u00a0effective techniques\u00a0used by phishers. Using this simple\u00a0technique\u00a0of malware distribution,\u00a0phishers are\u00a0going after\u00a0high profile targets such as\u00a0the internal embassy in\u00a0this case. We advise our users to stay protected by keeping their\u00a0antivirus<\/a>\u00a0up-to-date with the latest security updates.<\/p>\n

Security m<\/b>easures<\/b><\/p>\n

Here\u2019s an\u00a0infographic<\/a>\u00a0that explains phishing.\u00a0\u00a0And below are some useful tips to stay away from phishing attacks.<\/p>\n