(Contributor: Dr. Fahim Abbasi and Phil Hay)
In this blog, we provide an analysis of a Java-based malware sample circulated via spam, that leverages Crypter services hosted on the dark web to create mutations to evade detection. We observed a sudden rise in spam messages ridden with such malware since the beginning of this year and noticed that researchers often misclassify this malicious Java-based Remote Access Trojan due to its crypter-service generated variants.
We regularly see this malware as an attachment or a link in spam campaigns under variety of guises such as benign looking "Invoices", "Request for Quotation", "Remittance Notice", "Shipment Notification" and "Payment Notice" etc.
So what is this phantom malware circulated in these attachments? There appears to be some confusion as to the precise nature of this malware. Our initial thoughts were that it was the commonly-encountered jRAT (a.k.a Adwind), but others have identified it as QRAT (Quaverse RAT), which is viewed as a competitor to jRAT. We decided to delve into this malware more deeply to find out.
jRAT is a cross-platform Remote Access Trojan (RAT) that can be accessed remotely by an attacker to achieve complete control of the infected system. This RAT can be used to capture keystrokes, exfiltrate credentials, take screenshots and access a webcam. It can also be used to download and execute additional binaries in the victim's system. It is highly configurable to whatever the attacker's motive may be. jRAT has been commercially available to the public as a RAT-as-a-service business model for as little as $20 for a one-month use.
Extracting and dissecting several of the JAR samples, we noticed right away a common pattern in the JAR Manifest file called "MANIFEST.MF". The directory tree of one JAR sample is illustrated here:
The Manifest is a special file that contains information about the files packaged in a JAR file . As shown in Figure 3, the path of the entry point method specified in the Main-Class header uses the format:
com.<random English word in small letters>.<two joined title case random word>
And, as you can see from screenshots of three different samples below, the class names and resource names use very distinct pattern. The package name uses random English words and title case in the class and resources file names.
This led us to assume that all JAR files samples we collected from our spam traps are variants and have been obfuscated by the same tool or service. Its highly obfuscated nature makes this malware tough to analyze but that didn't stop us. We let the malicious JAR file run and dynamically analyzed it.
One thing we noticed right away is that all the samples we collected attempted to download a jar file from https://vvrhhhnaijyj6s2m[.]onion[dot]top. We followed the onion link and found it is a service hosted by QUAverse.
QUAverse (QUA) is linked to a RAT-as-a-service platform developed in 2015 called QRAT. QRAT is also a remote access trojan or RAT and is seen as one of jRAT's competitors. To us, this raised the question of why would jRAT download its competitor QRAT from the QUAverse platform? At first, thought that perhaps these JAR files were not jRAT but new QRAT samples. Some security researcherswere even calling it QRATthemselves. But after a thorough analysis of multiple samples that required several layers of unpacking, string de-obfuscation and AES decryption of the sample's Java classes, we found some compelling evidence that they are indeed jRAT samples.
Firstly, the JRAT main class is named "operational.Jrat" as illustrated in Figure 6.
Further evidence came to surface after we de-obfuscated jRAT's attacker configuration as seen in the image below:
Below is a configuration file from another jRAT sample that has more elaborate settings such as lowering Internet Explorer security settings, disabling open-file security warning settings, and a list of security related process to be killed. JRAT actors can easily configure this setting through a jRAT command panel.
So why does these jRAT samples connect and downloads a JAR file from a website affiliated to Quaverse's QRAT? The reason is that jRAT uses a service from QUAverse called Qrypter. This turns out to be a Crypter-as-a-Service platform that QUAverse has developed to make any Java JAR application fully undetectable by morphing variants of the same file. Qrypter offers JAR file crypting for a certain fee, it morphs the client's JAR file periodically to avoid being detected by antivirus products. We believe that the service monitors multiple AV products pro-actively and once it determines that the malware variant is being detected, it then re-encrypts the file thus producing a new mutant variant that is undetectable for a certain time period.
Quaverse even provide live detection rates of their cryptor as shown in Figure 9.
Every time this JRAT malware executes, it downloads a new, undetectable copy of itself from the Qrypter service and saves it to the infected machine's Windows %temp% directory. It then executes and installs the newly crypted jRAT .jar file. The screenshot below shows the code snippet of the download routine from a class called Qeaqtor. It calls the method Loader.criminal("smart-qrypt-address") that ultimately points to the JAR file hosted in the Quaverse website: https://vvrhhhnaijyj6s2m[.]onion[.]top.
So by using the Qrypter service, JRAT is able to leverage the third-party crypter feature in an attempt to be fully undetectable.
The attack diagram below illustrates the JRAT execution flow.
While JRAT actors have been actively spamming malicious JAR files for several months, one of the hurdles in infecting their target is how easily they are being detected. Perhaps using the Qrypter service makes it easier for them to evade email gateways and antivirus engines. While these actors may consider their malware creations undetectable, we have heuristics in our Secure Email Gateway that protect against this threat. From an email-policy perspective, we also recommend blocking inbound Javafiles up-front, along with other forms of potentially executable content.