JRAT Targets UK and UAE in Payment Certificates Spam Campaign

Java remote access Trojan (RAT) campaigns aren’t rare anymore. Their prevalence has increased in the past few years and they have continued to target both enterprises and individuals. The popularity of these campaigns isn’t surprising, as if an attacker successfully infects a victim’s computer with a RAT, then they could gain full control of the compromised computer. Along with this, these threats aren’t limited to one operating system, as in theory, they focus on any computer that runs Java. Attackers have easy access to Java RATs thanks to the fact that a handful of these RATs’ source code is being openly shared online
 
This month, we have observed a new spam campaign delivering a Java RAT known as JRAT, which started on February 13, 2014. The spam email’s sender claims that they have attached a payment certificate to the message and asks the user to confirm that they have received it. 
 
Capture_email_figure1.png
Figure 1. Spam email as part of the new Java RAT campaign
 
The email actually contains a malicious attachment with the file name Paymentcert.jar, detected as Trojan.Maljava. If the Trojan is executed, it will drop JRAT, detected as Backdoor.Jeetrat, on the compromised computer. The RAT not only affects Windows PCs, but also Linux, Mac OSX, FreeBSD, OpenBSD, and Solaris computers. This RAT is not new, as we have seen it in previous targeted attacks. JRAT’s builder, as seen in the following image, shows just how easy it is for an attacker to create their own customized RAT. 
 
image2_figure2.png
Figure 2. JRAT’s builder 
 
Our telemetry on the dropper shows that the campaign has predominantly affected the United Arab Emirates and the United Kingdom.  
 
map_figure3.png
Figure 3. Payment certificate spam campaign heat map for February 2014
 
This campaign appears to be targeting specific individuals. Certain aspects of the attack seem to confirm the targeted nature of the campaign, such as the low victim numbers, a unique dropper, one command-and-control (C&C) server and the fact that the majority of these spam messages were sent to personal email addresses. 
 
newchart_figure4.png
Figure 4. Number of people affected by the campaign in February 2014, according to our telemetry
 
Symantec advises users to be on their guard when they receive unsolicited, unexpected, or suspicious emails. If you aren’t sure of the email’s legitimacy, then don’t respond to it and avoid clicking on links in the message or opening attachments.