(Contributor: Dr. Fahim Abbasi and Phil Hay)
In this blog, we provide an analysis of a Java-based malware sample circulated via spam, that leverages Crypter services hosted on the dark web to create mutations to evade detection. We observed a sudden rise in spam messages ridden with such malware since the beginning of this year and noticed that researchers often misclassify this malicious Java-based Remote Access Trojan due to its crypter-service generated variants.
We regularly see this malware as an attachment or a link in spam campaigns under variety of guises such as benign looking "Invoices", "Request for Quotation", "Remittance Notice", "Shipment Notification" and "Payment Notice" etc.
Figure 1: Screenshots of spam email messages circulating the Java-based malware as an attachment, notice the benign looking subject and body
So what is this phantom malware circulated in these attachments? There appears to be some confusion as to the precise nature of this malware. Our initial thoughts were that it was the commonly-encountered jRAT (a.k.a Adwind), but others have identified it as QRAT (Quaverse RAT), which is viewed as a competitor to jRAT. We decided to delve into this malware more deeply to find out.
jRAT is a cross-platform Remote Access Trojan (RAT) that can be accessed remotely by an attacker to achieve complete control of the infected system. This RAT can be used to capture keystrokes, exfiltrate credentials, take screenshots and access a webcam. It can also be used to download and execute additional binaries in the victim's system. It is highly configurable to whatever the attacker's motive may be. jRAT has been commercially available to the public as a RAT-as-a-service business model for as little as $20 for a one-month use.
Analysis
Extracting and dissecting several of the JAR samples, we noticed right away a common pattern in the JAR Manifest file called "MANIFEST.MF". The directory tree of one JAR sample is illustrated here:
Figure 2: JAR file structure
The Manifest is a special file that contains information about the files packaged in a JAR file. As shown in Figure 3, the path of the entry point method specified in the Main-Class header uses the format:
com.<random English word in small letters>.<two joined title case random word>
or sometimes:
com.<random English word in small letters>.<random English word in small letters>.<two joined title case random word>
Figure 3: Note the entry point method name pattern specified in the Main-Class
And, as you can see from screenshots of three different samples below, the class names and resource names use very distinct pattern. The package name uses random English words and title case in the class and resources file names.
Figure 4: Visible pattern of class names and resource names
This led us to assume that all JAR files samples we collected from our spam traps are variants and have been obfuscated by the same tool or service. Its highly obfuscated nature makes this malware tough to analyze but that didn't stop us. We let the malicious JAR file run and dynamically analyzed it.
One thing we noticed right away is that all the samples we collected attempted to download a jar file from https://vvrhhhnaijyj6s2m[.]onion[dot]top. We followed the onion link and found it is a service hosted by QUAverse.
Figure 5: QUAverse service page hosted on the dark web accessible via a tor2web service that allows internet users to access Tor Onion services without using a Tor browser
QUAverse (QUA) is linked to a RAT-as-a-service platform developed in 2015 called QRAT. QRAT is also a remote access trojan or RAT and is seen as one of jRAT's competitors. To us, this raised the question of why would jRAT download its competitor QRAT from the QUAverse platform? At first, thought that perhaps these JAR files were not jRAT but new QRAT samples. Some security researchers were even calling it QRAT themselves. But after a thorough analysis of multiple samples that required several layers of unpacking, string de-obfuscation and AES decryption of the sample's Java classes, we found some compelling evidence that they are indeed jRAT samples.
Firstly, the JRAT main class is named "operational.Jrat" as illustrated in Figure 6.
Figure 6: Main JRAT Class "operational.Jrat"
Further evidence came to surface after we de-obfuscated jRAT's attacker configuration as seen in the image below:
Figure 7: De-obfuscated JRAT Configuration pointing the the jrat.io project website
Below is a configuration file from another jRAT sample that has more elaborate settings such as lowering Internet Explorer security settings, disabling open-file security warning settings, and a list of security related process to be killed. JRAT actors can easily configure this setting through a jRAT command panel.
So why does these jRAT samples connect and downloads a JAR file from a website affiliated to Quaverse's QRAT? The reason is that jRAT uses a service from QUAverse called Qrypter. This turns out to be a Crypter-as-a-Service platform that QUAverse has developed to make any Java JAR application fully undetectable by morphing variants of the same file. Qrypter offers JAR file crypting for a certain fee, it morphs the client's JAR file periodically to avoid being detected by antivirus products. We believe that the service monitors multiple AV products pro-actively and once it determines that the malware variant is being detected, it then re-encrypts the file thus producing a new mutant variant that is undetectable for a certain time period.
Quaverse even provide live detection rates of their cryptor as shown in Figure 9.
Figure 9: Qrypter detection rates
Figure 10: Advertised list of Qrypter features
Figure 11: Qrypter service payment page
Every time this JRAT malware executes, it downloads a new, undetectable copy of itself from the Qrypter service and saves it to the infected machine's Windows %temp% directory. It then executes and installs the newly crypted jRAT .jar file. The screenshot below shows the code snippet of the download routine from a class called Qeaqtor. It calls the method Loader.criminal("smart-qrypt-address") that ultimately points to the JAR file hosted in the Quaverse website: https://vvrhhhnaijyj6s2m[.]onion[.]top.
Figure 12: Qrypter download routine code snippet
So by using the Qrypter service, JRAT is able to leverage the third-party crypter feature in an attempt to be fully undetectable.
The attack diagram below illustrates the JRAT execution flow.
Figure 13: Attack flow diagram
Conclusion
While JRAT actors have been actively spamming malicious JAR files for several months, one of the hurdles in infecting their target is how easily they are being detected. Perhaps using the Qrypter service makes it easier for them to evade email gateways and antivirus engines. While these actors may consider their malware creations undetectable, we have heuristics in our Secure Email Gateway that protect against this threat. From an email-policy perspective, we also recommend blocking inbound Javafiles up-front, along with other forms of potentially executable content.
Samples analyzed
1eb3f344a0274bfa38c67f6b10650dcf
64d72c5c86d3638034cd83178abcb82f
c52247ecffb2f7a42ef6fa0336671545
ae77ffba57049418e5a720bf77d178a5
2f021a10804ac5db5ceb43b42f785a23
daa0833d16cd9b6937803d1637284ad1
6392741705126cb97a837cbb046cfe73
8ae2c573bc0e0492efeabe78495c591e
