Researchers reported on a spike in Java-based remote access trojan variants, or jRATs.
The method opens a backdoor for attackers to remotely gain control of an infected system, according to the report from Zscaler.
The miscreants behind the scheme are using a number of methods to dupe email recipients into clicking on attachments poisoned with JAR files. For instance, some of the filenames imply the email was sent by the IRS purporting to contain vital tax information. Other samples appear to be purchase orders. In any case, should a recipient open the attachment, the jRAT payload is transferred to the target machine.
While the samples detected by the researchers were hidden beneath three layers of packing, once initiated the malicious JAR file delivers a VBS file to the user's machine, which then checks on the device for third-party firewalls and anti-virus software. Once the scan is done, it drops a JAR file in the Temp folder, the report found, and then executes it.
The researchers' analysis revealed that the code, written in a modular style, segregated a number of tasks within a set of packages. In one encrypted configuration file were details for the bot to communicate with the C&C server, which sends arbitrary payloads to infected machines and can switch on the device's camera to spy on victims.
As well, the malware links machines to a hardcoded URL in order to deliver malicious executable files. In the past, this site was known for hosting the Loki bot, notorious for siphoning out data from victim machines.
"We have seen multiple campaigns, such as purchase orders, invoices, tracking notices, etc., where jRAT was involved," Sameer Patil of the ThreatLabZ research team, told SC Media on Monday. Patil was lead author of the report – along with research assistance from Jithin Nair. The most significant iteration was using the IRS theme that started in the last week of March, he said.
"There were a few other unusual aspects to this malware," Patil added. "First, the majority of the payloads were being delivered over SSL using media/file sharing services like Dropbox. Another novel aspect was the multiple layers of packing combined with the highly obfuscated code-end payload in order to evade detection and hinder manual/automated analysis and reverse engineering. The malware author has also accounted for the operating system's bit-ness by embedding both 32-bit and 64-bit DLLs in the JAR payload."
The campaign is still active, Patil warned, keeping relevant by using fresh enticements drawn from current events.