Rise of the Java Remote Access Tools

We recently came across an attack campaign which looked quite unusual compared to the standard attacks normally seen in the wild. This campaign is targeting government agencies by sending phishing emails with a malicious attachment. Nothing new so far, except for one thing: the malicious payload is a Java remote access tool (RAT).

As we all know, cybercriminals tend to use recent hot media topics to entice users. In the case of this campaign they are using the recent news coverage surrounding the NSA surveillance program PRISM.


Figure 1. Phishing email example

The phishing email contains two legitimate non-malicious PDF documents and one Java file that mimics the name of a legitimate document. If a user is tricked into clicking this fake document, the Java applet will be run (providing that Java is installed on the user’s computer).

This applet is a RAT named jRat, it is available for free and Symantec detects it as Backdoor.Jeetrat. This threat can give full control of the compromised computer to a remote attacker. More importantly, because it is a Java applet the threat is able to run on multiple operating systems, not just Windows. In fact, the threat has a builder tool that allows you to build your own customized versions of the RAT, and we can see that when it comes to the targeted operating systems, the choice is very broad.


Figure 2. RAT builder control panel with options, including supported operating systems

The RAT can target not only Windows, but also Linux, Mac OSX, FreeBSD, OpenBSD, and Solaris (although we have not verified or observed the threat working on all of these operating systems). In principle, the threat may be able to run on any system that supports Java.

We searched our archives for other threats using the same command-and-control (C&C) server used in this specific attack and found an RTF document.


Figure 3. Malicious RTF document from previous attack campaign

This malicious RTF document exploits the Microsoft Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158), detected by Symantec as Bloodhound.Exploit.457. This shows that the same attackers were previously using the usual attack method of sending malicious documents that exploit some vulnerability in order to drop an executable payload but recently shifted to sending malicious Java payloads directly. The attack has been simplified as it does not involve the use of an exploit, nor an executable shellcode/payload, but simply relies on a Java applet. Nonetheless, it is no less dangerous than the older attacks and it can spread more easily since exploits are usually limited to work on specific versions of the vulnerable software and operating system, while this RAT can spread on any system where Java runtime is installed. In fact, not only has the attack been simplified, but it has also become more stable and more virulent, it is a big upgrade!

The distribution of this malware indicates most targets are located in the United States.


Figure 4. Malware distribution

Besides RATs, we have also seen other classes of Java malware being used in the wild. For more information about other uses of Java malware, check out this series of three blog entries about Java.Cogyeka.

In conclusion, while this new attack is a little unusual, it can be detected and blocked like older ones. We advise our customers to update their definitions and to be very cautious when receiving suspicious emails.

Bad kitty! “Rookie mistake” in Cryptocat chat app makes cracking a snap

Developers of the Cryptocat application for encrypting communications of activists and journalists have apologized for a critical programming flaw that made it trivial for third parties to decipher group chats.

The precise amount of time the vulnerability was active is in dispute, with Cryptocat developers putting it at seven months and a security researcher saying it was closer to 19 months. Both sides agree that the effect of the bug was that the keys used to encrypt and decrypt conversations among groups of users were easy for outsiders to calculate. As a result, activists, journalists, or others who relied on Cryptocat to protect their group chats from government or industry snoops got little more protection than is typically available in standard chat programs. Critics said it was hard to excuse such a rudimentary error in an open-source piece of software held out as a way to protect sensitive communications.

"It was simply a matter of what I would call a fairly rookie mistake," independent security researcher Adam Caudill told Ars. "They didn't understand the data they were working with. Key generation code is one of the most critical parts of a crypto system because it doesn't matter what else you get right if you get that wrong."

Read 7 remaining paragraphs | Comments


Spammers Playing in Wimbledon Court

The 127th edition of the Wimbledon Championships, and third Grand Slam event of the year, are coming to an end with the final being played July 7. When it comes to major sporting events we can expect large amount of gambling, and spammers take advantage by sending online betting and casino email spam. We have observed the following spam campaign targeting the Wimbledon Championship with a fake betting offer.


Figure. Wimbledon Championship spam

Interestingly, in order to trick users the spammers are actually using Antispam Laws to make their spam look legitimate (which we recently blogged about in Whitewashed Spam – How Antispam Laws Are Helping Spammers). These spammers are tempting users with the fake offers like “Get started with $5 free and $500 as welcome package”. Also the spam messages contain hexadecimal-obfuscated URLs which is a technique spammers use to avoid anti-spam filters. Users should be aware of any fake betting offers.

We observed the following spoofed email header targeting the 2013 Wimbledon Championship:

Subject: Tennis action with 77 spins on Centre Court
From: All xxx Casino <REMOVED.com>

Symantec advises everyone to be cautious with unsolicited or unexpected emails related to the 2013 Wimbledon Championship and to be cautious of fake betting offers. We continue to monitor spam attacks around the clock to ensure that readers are kept up to date with the latest information on potential threats.

Microsoft Releases July 2013 Security Bulletin

Original release date: July 05, 2013 | Last revised: July 09, 2013

Microsoft has released updates to address vulnerabilities in Microsoft Windows, .NET Framework, Silverlight, Office, Visual Studio, Lync, Internet Explorer, and Windows Defender as part of the Microsoft Security Bulletin Summary for July 2013. These vulnerabilities could allow remote code execution or elevation of privilege.

US-CERT encourages users and administrators to review the bulletin and follow best practice security policies to determine which updates should be applied.

This product is provided subject to this Notification and this Privacy & Use policy.