Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Crypter-as-a-Service Helps jRAT Fly Under The Radar

(Contributor: Dr. Fahim Abbasi and Phil Hay)

In this blog, we provide an analysis of a Java-based malware sample circulated via spam, that leverages Crypter services hosted on the dark web to create mutations to evade detection. We observed a sudden rise in spam messages ridden with such malware since the beginning of this year and noticed that researchers often misclassify this malicious Java-based Remote Access Trojan due to its crypter-service generated variants.

We regularly see this malware as an attachment or a link in spam campaigns under variety of guises such as benign looking "Invoices", "Request for Quotation", "Remittance Notice", "Shipment Notification" and "Payment Notice" etc.

EmailSamples
Figure 1: Screenshots of spam email messages circulating the Java-based malware as an attachment, notice the benign looking subject and body

So what is this phantom malware circulated in these attachments? There appears to be some confusion as to the precise nature of this malware. Our initial thoughts were that it was the commonly-encountered jRAT (a.k.a Adwind), but others have identified it as QRAT (Quaverse RAT), which is viewed as a competitor to jRAT. We decided to delve into this malware more deeply to find out.

jRAT is a cross-platform Remote Access Trojan (RAT) that can be accessed remotely by an attacker to achieve complete control of the infected system. This RAT can be used to capture keystrokes, exfiltrate credentials, take screenshots and access a webcam. It can also be used to download and execute additional binaries in the victim's system. It is highly configurable to whatever the attacker's motive may be. jRAT has been commercially available to the public as a RAT-as-a-service business model for as little as $20 for a one-month use.

Analysis

Extracting and dissecting several of the JAR samples, we noticed right away a common pattern in the JAR Manifest file called "MANIFEST.MF". The directory tree of one JAR sample is illustrated here:

Fig_2_JarFileStruct
Figure 2: JAR file structure

The Manifest is a special file that contains information about the files packaged in a JAR file. As shown in Figure 3, the path of the entry point method specified in the Main-Class header uses the format:

com.<random English word in small letters>.<two joined title case random word>

or sometimes:

com.<random English word in small letters>.<random English word in small letters>.<two joined title case random word>

Manifest_anmFigure 3: Note the entry point method name pattern specified in the Main-Class

And, as you can see from screenshots of three different samples below, the class names and resource names use very distinct pattern. The package name uses random English words and title case in the class and resources file names.

 

JarSamples
Figure 4: Visible pattern of class names and resource names

 

This led us to assume that all JAR files samples we collected from our spam traps are variants and have been obfuscated by the same tool or service. Its highly obfuscated nature makes this malware tough to analyze but that didn't stop us. We let the malicious JAR file run and dynamically analyzed it.

One thing we noticed right away is that all the samples we collected attempted to download a jar file from https://vvrhhhnaijyj6s2m[.]onion[dot]top. We followed the onion link and found it is a service hosted by QUAverse.

 

QuaverseWebFigure 5: QUAverse service page hosted on the dark web accessible via a tor2web service that allows internet users to access Tor Onion services without using a Tor browser

 

QUAverse (QUA) is linked to a RAT-as-a-service platform developed in 2015 called QRAT. QRAT is also a remote access trojan or RAT and is seen as one of jRAT's competitors. To us, this raised the question of why would jRAT download its competitor QRAT from the QUAverse platform? At first, thought that perhaps these JAR files were not jRAT but new QRAT samples. Some security researchers were even calling it QRAT themselves. But after a thorough analysis of multiple samples that required several layers of unpacking, string de-obfuscation and AES decryption of the sample's Java classes, we found some compelling evidence that they are indeed jRAT samples.

Firstly, the JRAT main class is named "operational.Jrat" as illustrated in Figure 6.

JratMainClass
Figure 6: Main JRAT Class "operational.Jrat"

 

Further evidence came to surface after we de-obfuscated jRAT's attacker configuration as seen in the image below:

JratConfig1Figure 7: De-obfuscated JRAT Configuration pointing the the jrat.io project website

 

Below is a configuration file from another jRAT sample that has more elaborate settings such as lowering Internet Explorer security settings, disabling open-file security warning settings, and a list of security related process to be killed. JRAT actors can easily configure this setting through a jRAT command panel.

Jratconfig2
Figure 8: jRat configuration setting. Complete dump of the config file can be found here: https://pastebin.com/raw/PvKLJAWP

 

So why does these jRAT samples connect and downloads a JAR file from a website affiliated to Quaverse's QRAT? The reason is that jRAT uses a service from QUAverse called Qrypter. This turns out to be a Crypter-as-a-Service platform that QUAverse has developed to make any Java JAR application fully undetectable by morphing variants of the same file. Qrypter offers JAR file crypting for a certain fee, it morphs the client's JAR file periodically to avoid being detected by antivirus products. We believe that the service monitors multiple AV products pro-actively and once it determines that the malware variant is being detected, it then re-encrypts the file thus producing a new mutant variant that is undetectable for a certain time period.

Quaverse even provide live detection rates of their cryptor as shown in Figure 9.

Ad3
Figure 9: Qrypter detection rates
 

 

Ad2
Figure 10: Advertised list of Qrypter features
 
Ad1
Figure 11: Qrypter service payment page
 

Every time this JRAT malware executes, it downloads a new, undetectable copy of itself from the Qrypter service and saves it to the infected machine's Windows %temp% directory. It then executes and installs the newly crypted jRAT .jar file. The screenshot below shows the code snippet of the download routine from a class called Qeaqtor. It calls the method Loader.criminal("smart-qrypt-address") that ultimately points to the JAR file hosted in the Quaverse website: https://vvrhhhnaijyj6s2m[.]onion[.]top.

DownloadUrl
Figure 12: Qrypter download routine code snippet

 

So by using the Qrypter service, JRAT is able to leverage the third-party crypter feature in an attempt to be fully undetectable.

The attack diagram below illustrates the JRAT execution flow.

AttackDiagFigure 13: Attack flow diagram

 

Conclusion

While JRAT actors have been actively spamming malicious JAR files for several months, one of the hurdles in infecting their target is how easily they are being detected. Perhaps using the Qrypter service makes it easier for them to evade email gateways and antivirus engines. While these actors may consider their malware creations undetectable, we have heuristics in our Secure Email Gateway that protect against this threat. From an email-policy perspective, we also recommend blocking inbound Javafiles up-front, along with other forms of potentially executable content.

Samples analyzed

1eb3f344a0274bfa38c67f6b10650dcf

64d72c5c86d3638034cd83178abcb82f

c52247ecffb2f7a42ef6fa0336671545

ae77ffba57049418e5a720bf77d178a5

2f021a10804ac5db5ceb43b42f785a23

daa0833d16cd9b6937803d1637284ad1

6392741705126cb97a837cbb046cfe73

8ae2c573bc0e0492efeabe78495c591e

 

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo