Street magicians have a secret: If you want to hide something, hide it in plain sight. It’s how hidden card tricks, sleight of hand and most illusions work. Unfortunately, malicious actors are learning how to use the same concept to sneak malware past traditional cybersecurity tools and onto users’ computers. And, it’s causing havoc on two fronts: enterprise security and user productivity.
An Old RAT Evolves
Four months ago we became aware of a new variant of Adwind jRAT, a remote access Trojan that uses Java to take control and collect data from a user’s machine--namely login credentials. Malware that takes advantage of common Java functionality is notoriously difficult to detect or detonate in a sandbox for the simple fact that Java is so common on the web. In fact, any effort to block or limit Java would result in much of the internet breaking down--a non starter for users who increasingly rely on rich web apps or SaaS platforms for their day-to-day responsibilities.
While Adwind jRAT is typically platform agnostic, this new variant seems to be targeting Windows machines and common Windows applications such as Explorer and Outlook. Interestingly, Chromium-based browsers are also being targeted, including newer browsers like Brave. The malware is a JAR file delivered from a link in a phishing email or downloaded from a legitimate site serving up insecure third-party content. We also observed many infections originating from out-dated and illegitimate Wordpress sites--a delivery method that is growing in popularity due to the vulnerabilities in the publishing platform.
How It Works
This new variant of Adwind jRAT works by obfuscating the initial JAR file, which makes any static signature-based detection ineffective. The initial JAR decrypts and reflectively loads the Qealler Header class which then decrypts and reflectively loads the Loader Class. The Loader Class then decrypts and reflectively loads the initial set of modules and calls the Main Class which is responsible for initializing the RAT with the control and command server.
Adwind jRAT is then able to decrypt a config file to get a list of C2 server IP addresses. An address is selected, and an AES encrypted request is made via TCP port 80 to remotely load a set of additional JAR files. Once downloaded, the JAR files activate the jRAT which becomes fully functional and is able to send a command and control request to access and send credentials from the browser and various applications to a remote server. These credentials can include personal bank credentials or business app logins--basically any password saved in a browser or application running on Windows.
Figure 1: The Adwind jRAT execution workflow uses common Java commands to deliver malicious payloads onto users’ devices.
Hiding in Plain Sight
This latest variant of the Adwind jRAT trojan is able to mask its behavior by acting like any other Java command. Without dynamic construction of the initial JAR file, threat intelligence has very little or no heuristics with which to create a static rule or signature that can effectively detect the initial JAR payload among the millions of Java commands flowing in and out of the corporate network. It’s like wading through a crowd of a million people and trying to pick out the one person wearing a green undershirt without being able to look under people’s jackets. There’s nothing suspicious about its existence, its appearance or even its initial behavior. Everything about it seems normal.
There is an exception, however. Viewing and sending stolen credentials to a remote server is definitely not typical behavior of a Java command. And that’s true with any sleight of hand trick. Eventually, the abnormal behavior has to reveal itself. Given that premise, it’s important to deploy a layered cybersecurity solution that provides complete cybersecurity protection throughout the network infrastructure. This layered solution should block known threats, isolate everything else in a remote browser in the cloud and then monitor traffic both inside and outside the organization for abnormal behavior.
Cybersecurity attacks, like magic tricks, cease being mysterious once the delivery and method are revealed. Once you identify that abnormal behavior, it becomes easier to stop attackers in their tracks. Only a complete, layered cybersecurity solution can provide that level of protection for users.
Learn how a Cloud Security Platform powered by Isolation is helping customers with their email and web security.