The Story of Manuel’s Java RAT.

Pierluigi Paganini January 25, 2019

Security experts from Cybaze-Yoroi ZLab investigated two malicious spam campaigns delivering Java RAT that show some similarities.

Introduction

During the last weeks, the Cybaze-Yoroi ZLab researchers identified infection attempts aimed to install RAT malware directed to the naval industry sector. The malicious email messages contained a particular Adwind/JRat variant delivered via several methods tailored to lure the target company. 

In the recent past, similar attack cases hit this industry, such as the MartyMCFly case, where the attackers weaponized their emails with QasarRAT payloads. Instead, in this case, Cybaze-Yoroi ZLab detected the usage of multiplatform Java malware.

Technical analysis

A preliminary analysis of the two malicious email waves shows no common strict indicators: the smtp infrastructure detected on the 16th and 17th is different from the 21tst one, the attachment type didn’t match, in fact, the first ones contained .jar attachments, the second ones ZIP archives and JS scripts, and the email theme was different too.

In detail, the first email wave has been prepared to simulate a purchase order, trying to impersonate administrative personnel of an italian company operating in the Hydraulic and Lifting sectors,  “Difast Srl”. These messages were written in Italian.

The second email wave, instead, was not Italian speaking anymore. This time the attacker were trying to impersonate a German logistic company, “Dederich Spedition”, simulating another kind of purchase order communication.

However, we figured out these two email waves were linked to the same attacker.

Dissecting the Stage1

The following attachments have been analyzed by Cybaze-Yoroi Zlab team:

HashSha 256:a17b18ba1d405569d3334f4d7c653bf784f07805133d7a1e2409c69c67a72d99
ThreatJAR/Dropper
ssdeep12288:1zdaHanWmyPL64RrYzX/6ZjHfTMmy7KUBjycRKXsfp330VPMsCXtZcLzSU:1zUHanW3DJRr0/ubfTK3hycjfx30VPMw
HashSha256:cb5389744825a8a8d97c0dce8eec977ae6d8eeca456076d294c142d81de94427
ThreatJAR/Dropper
ssdeep12288:LR9aQ+oSsyJZVqhoae1yjocYKLCpOo5q/mOmFgnxhQZMR:C4yuoCoflp1DFOxx
HashSha256:5b7192be8956a0a6972cd493349fe2c58bc64529aa1f62b9f0e2eaebe65829be
ThreatJS/Dropper
ssdeep12288:Vhz+1VYSCR8TedejbWcGrwmzt7cOk6O6vJX9SxmN6QjH9HJW93awECdf66bC8a:rzbsedejF1k1BXFRVJjXl

The first two malware samples were attached to the suspicious emails sent since 16th January. The last was embedded into the 21st January emails. 

Analyzing in detail the first two JAR archives, it’s possible to see the source code is the same, except for name of the declared classes. Thus, the analysis are conducted only on one of them. 

Figure 2 – Comparison between two jar file dropper

Differently from other ones, the JS file has a different structure how visible in the following figure.

Figure 3 – Code snippet of js file dropper

Despite the different structures of code and programming languages, all the dropper samples have the same encoded payload strings.

The string labeled with the variable name “duvet” hides another layer of code. The obfuscation method is quite easy: just replace the “#@>” character with “m”, and convert all from base64. The results of decryption is visible in the following figure:

Table 4 – First step decryption of base64 encoded string

In the previous code snippet, a malware routine checks the existence of the Java environment on the victim machine: if it is not installed it downloads the JRE environment from an external location, a potentially compromised third party website  “hxxp://www[.thegoldfingerinc[.]com/images/jre.zip”.

Figure 5 – Open directory used by malware to download jre.zip component

After downloading the JRE archive, the malware installs it on the victim machine. At this point, the malware triggers the persistence mechanism and sets the typical “CurrentVersion\Run” registry key.

Figure 7  – Register key setted by the malware

After many deobfuscation rounds of the nested base64 strings recovered, the final results is:

Figure 8 – result of decrypted code

The “longText” variable hides the final payload: another .jar file. Instead, decoding the variable “longText1”, we retrieved the following code snippet:

Figure 9 – fake listener on localhost setted by the malware in case of evasion

This code, able to create a localhost listener or a sort of proxy on port 7755, is actually unused by the other part of the RAT malware.

Converging to the Java RAT Payload

As anticipated before, the “longText” variable encodes a JAR executable containing the infamous, multi-platform (Win/macOS), Adwind/JRat malware: a Remote Access Tool well known to the InfoSec community.

HashSha256:9b2968eaeb219390a81215fc79cb78a5ccf0b41db13b3e416af619ed5982eb4a
ThreatAdwind/JRAT
ssdeep12288:jz8uQYmMzFIXJ9A2G5px
ogQNUhIK/0c2qnAv:EuQ/ImYnsS7B2qnk

The structure of the code seen in the above figure, indicates the fact that it is the canonical Adwind/JRat malware, containing the “JRat.io” false flag.

Figure 10 – Structure of JRat malware

Finally, we extrapolated the configuration of the RAT payload, the JSON object reported in the following snippet.

  1. {
  2. “NETWORK”:[
  3. {
  4. “PORT”:9888,
  5. “DNS”:”185.244.30.93″
  6. }
  7. ],
  8. “INSTALL”:true,
  9. “MODULE_PATH”:”KXA/Gzd/Sb.Po”,
  10. “PLUGIN_FOLDER”:”vuVCbHOEGdl”,
  11. “JRE_FOLDER”:”bvDMbv”,
  12. “JAR_FOLDER”:”oJYFGyiYDKG”,
  13. “JAR_EXTENSION”:”gHPrve”,
  14. “ENCRYPT_KEY”:”PqKOsNWuSwYdlCTuCJPnAGXoL”,
  15. “DELAY_INSTALL”:2,
  16. “NICKNAME”:”MANUEL1986″,
  17. “VMWARE”:false,
  18. “PLUGIN_EXTENSION”:”xSgaW”,
  19. “WEBSITE_PROJECT”:”https://jrat.io”,
  20. “JAR_NAME”:”GErbOAiLUBf”,
  21. “JAR_REGISTRY”:”NVxqGXNfpjm”,
  22. “DELAY_CONNECT”:2,
  23. “VBOX”:false
  24. }

The remote destination address 185.244.30.93, belonging to “Stajazk VPN” services,  hosts the control server reachable on port tcp/9888. Also, the configuration reveal the  nickname field containing the string “MANUEL1986”. 

The usage of the VPN service hides the real location of the attacker, however, the specific IP isn’t new to the threat intel community, it has been abused since october 2018. Particularly interesting is the presence of the No-IP domain “manuel.hopto.org”: this domain also resolved Nigerian IP addresses of the 37076-EMTS-NIGERIA-AS, and and the Italian AS1267 back in 2012-2014.

Figure 11 – “manuel.hopto.org” last DNSs of C2 of JRat

Conclusions

The analyzed case shows how threat actors may quickly vary attack techniques and artifact characteristics, trying to masquerade their intent by making harder to track their attempts. Proving the investigation capabilities of a threat research team are fundamental into a modern cyber security paradigm.

The specific attack waves are not likely related to the MartyMcFly campaign discovered a few months.

Further details, including IoCs and Yara Rules, are reported in the analysis published on the Yoroi blog.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Java RAT, malware)

[adrotate banner=”5″] [adrotate banner=”13″]



you might also like

leave a comment