Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Crypter-as-a-Service Helps jRAT Fly Under The Radar

(Contributor: Dr. Fahim Abbasi and Phil Hay)

In this blog, we provide an analysis of a Java-based malware sample circulated via spam, that leverages Crypter services hosted on the dark web to create mutations to evade detection. We observed a sudden rise in spam messages ridden with such malware since the beginning of this year and noticed that researchers often misclassify this malicious Java-based Remote Access Trojan due to its crypter-service generated variants.

We regularly see this malware as an attachment or a link in spam campaigns under variety of guises such as benign looking "Invoices", "Request for Quotation", "Remittance Notice", "Shipment Notification" and "Payment Notice" etc.

Figure 1: Screenshots of spam email messages circulating the Java-based malware as an attachment, notice the benign looking subject and body

So what is this phantom malware circulated in these attachments? There appears to be some confusion as to the precise nature of this malware. Our initial thoughts were that it was the commonly-encountered jRAT (a.k.a Adwind), but others have identified it as QRAT (Quaverse RAT), which is viewed as a competitor to jRAT. We decided to delve into this malware more deeply to find out.

jRAT is a cross-platform Remote Access Trojan (RAT) that can be accessed remotely by an attacker to achieve complete control of the infected system. This RAT can be used to capture keystrokes, exfiltrate credentials, take screenshots and access a webcam. It can also be used to download and execute additional binaries in the victim's system. It is highly configurable to whatever the attacker's motive may be. jRAT has been commercially available to the public as a RAT-as-a-service business model for as little as $20 for a one-month use.


Extracting and dissecting several of the JAR samples, we noticed right away a common pattern in the JAR Manifest file called "MANIFEST.MF". The directory tree of one JAR sample is illustrated here:

Figure 2: JAR file structure

The Manifest is a special file that contains information about the files packaged in a JAR file. As shown in Figure 3, the path of the entry point method specified in the Main-Class header uses the format:

com.<random English word in small letters>.<two joined title case random word>

or sometimes:

com.<random English word in small letters>.<random English word in small letters>.<two joined title case random word>

Manifest_anmFigure 3: Note the entry point method name pattern specified in the Main-Class

And, as you can see from screenshots of three different samples below, the class names and resource names use very distinct pattern. The package name uses random English words and title case in the class and resources file names.


Figure 4: Visible pattern of class names and resource names


This led us to assume that all JAR files samples we collected from our spam traps are variants and have been obfuscated by the same tool or service. Its highly obfuscated nature makes this malware tough to analyze but that didn't stop us. We let the malicious JAR file run and dynamically analyzed it.

One thing we noticed right away is that all the samples we collected attempted to download a jar file from https://vvrhhhnaijyj6s2m[.]onion[dot]top. We followed the onion link and found it is a service hosted by QUAverse.


QuaverseWebFigure 5: QUAverse service page hosted on the dark web accessible via a tor2web service that allows internet users to access Tor Onion services without using a Tor browser


QUAverse (QUA) is linked to a RAT-as-a-service platform developed in 2015 called QRAT. QRAT is also a remote access trojan or RAT and is seen as one of jRAT's competitors. To us, this raised the question of why would jRAT download its competitor QRAT from the QUAverse platform? At first, thought that perhaps these JAR files were not jRAT but new QRAT samples. Some security researchers were even calling it QRAT themselves. But after a thorough analysis of multiple samples that required several layers of unpacking, string de-obfuscation and AES decryption of the sample's Java classes, we found some compelling evidence that they are indeed jRAT samples.

Firstly, the JRAT main class is named "operational.Jrat" as illustrated in Figure 6.

Figure 6: Main JRAT Class "operational.Jrat"


Further evidence came to surface after we de-obfuscated jRAT's attacker configuration as seen in the image below:

JratConfig1Figure 7: De-obfuscated JRAT Configuration pointing the the project website


Below is a configuration file from another jRAT sample that has more elaborate settings such as lowering Internet Explorer security settings, disabling open-file security warning settings, and a list of security related process to be killed. JRAT actors can easily configure this setting through a jRAT command panel.

Figure 8: jRat configuration setting. Complete dump of the config file can be found here:


So why does these jRAT samples connect and downloads a JAR file from a website affiliated to Quaverse's QRAT? The reason is that jRAT uses a service from QUAverse called Qrypter. This turns out to be a Crypter-as-a-Service platform that QUAverse has developed to make any Java JAR application fully undetectable by morphing variants of the same file. Qrypter offers JAR file crypting for a certain fee, it morphs the client's JAR file periodically to avoid being detected by antivirus products. We believe that the service monitors multiple AV products pro-actively and once it determines that the malware variant is being detected, it then re-encrypts the file thus producing a new mutant variant that is undetectable for a certain time period.

Quaverse even provide live detection rates of their cryptor as shown in Figure 9.

Figure 9: Qrypter detection rates


Figure 10: Advertised list of Qrypter features
Figure 11: Qrypter service payment page

Every time this JRAT malware executes, it downloads a new, undetectable copy of itself from the Qrypter service and saves it to the infected machine's Windows %temp% directory. It then executes and installs the newly crypted jRAT .jar file. The screenshot below shows the code snippet of the download routine from a class called Qeaqtor. It calls the method Loader.criminal("smart-qrypt-address") that ultimately points to the JAR file hosted in the Quaverse website: https://vvrhhhnaijyj6s2m[.]onion[.]top.

Figure 12: Qrypter download routine code snippet


So by using the Qrypter service, JRAT is able to leverage the third-party crypter feature in an attempt to be fully undetectable.

The attack diagram below illustrates the JRAT execution flow.

AttackDiagFigure 13: Attack flow diagram



While JRAT actors have been actively spamming malicious JAR files for several months, one of the hurdles in infecting their target is how easily they are being detected. Perhaps using the Qrypter service makes it easier for them to evade email gateways and antivirus engines. While these actors may consider their malware creations undetectable, we have heuristics in our Secure Email Gateway that protect against this threat. From an email-policy perspective, we also recommend blocking inbound Javafiles up-front, along with other forms of potentially executable content.

Samples analyzed










Latest SpiderLabs Blogs

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More