• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Malware • Security  /  Seqrite thwarts attempts of a JAVA jRAT phishing campaign targeting an international embassy in India
16 January 2018

Seqrite thwarts attempts of a JAVA jRAT phishing campaign targeting an international embassy in India

Written by Pradeep Kulkarni
Pradeep Kulkarni
Malware, Security
  • 4
    Shares
Estimated reading time: 4 minutes

Earlier we had blogged about how JAVA based jRAT malware were evolved in the recent times. At Quick Heal Security Labs, we are actively observing jRAT campaigns happening in the wild. These JAVA malware spread through phishing campaigns. While analyzing one such phishing campaign, we found that an International embassy in India was being targeted by phishers. The malware used in the phishing campaign was the infamous JAVA malware called jRAT.  Phishers sent phishing emails to the official email address of the targeted embassy.

This is how the phishing email looks like.

Fig 1. Phishing email sent to the targeted embassy
Fig 1. Phishing email sent to the targeted embassy

As shown in the figure above, a fake shipment notification by DHL is sent to the targeted email address. This is an example of a classic phishing email scam. The overall content of the email looks neat and attractive enough to trick the user into opening the attachment in order to know more about this shipment notification. The email attachment “ORIGINAL SHIPPING DOCUMENT.zip” is a ZIP archive file containing a “ORIGINAL SHIPPING DOCUMENT.jar” file. It’s unusual for a shipment notification to have “.jar” file as an attachment. Once the user double clicks on this jar file, the malware is executed. Nowadays, many applications require JAVA/JRE for their execution. So, the chances of having a JAVA/JRE installed on the end user systems are extremely high. This increases every possibility of the execution of the Java-based malware on the targeted system.

Seqrite detection

This particular phishing attempt carried out on the targeted embassy was successfully blocked by Seqrite products with its JAVA detection “JAR.Suspicious.A”.

Infection Chain

A typical infection chain found in this JRAT phishing campaign is as follows.

Fig 2. Infection Chain - jRAT phishing campaign
Fig 2. Infection Chain – jRAT phishing campaign

Technical details

As depicted in fig 2, upon execution of the ‘Parent JAR’ malware, it drops 2 VB script files and jRAT malware at ‘%Temp%’ location which are embedded in it. These VB scripts are responsible for identifying different antivirus products as well as firewall products installed on a system. It also checks for ‘Win32_PnpSignedDriver’ pipe which is required to identify a virtual environment. And if this pipe is found to be open, then the malware will stop its activity.

Below are the images of VBS files.

Fig 3. VBS file to identify installed antivirus products.
Fig 3. VBS file to identify installed antivirus products.

 

Fig 4. VBS file to identify installed firewall products.
Fig 4. VBS file to identify installed firewall products.

The dropped JRAT file is connected to a CNC domain ‘vvrhhhnaijyj6s2m.onion[.]top‘. This CNC domain is hosted on 46.246.120.179. The reputation of this domain and the IP is malicious according to online scanners. The communication happens over an SSL channel.  

Fig 5. Connection with a CNC domain
Fig 5. Connection with a CNC domain

 

Fig 6. Decoded SSL certificate.
Fig 6. Decoded SSL certificate.

At the time of our analysis, the CNC server did not respond with the final payload. Generally, we have observed infostelaer malware being delivered in ongoing jRAT campaigns.

Although phishing is an old technique to spread malware, it is still one of the simple and most effective techniques used by phishers. Using this simple technique of malware distribution, phishers are going after high profile targets such as the internal embassy in this case. We advise our users to stay protected by keeping their Endpoint Security solution(EPS) up-to-date with the latest security updates.

Security measures

Here’s an infographic that explains phishing.  And below are some useful tips to stay away from phishing attacks.

  • Do not open emails that come from unknown, unwanted or unexpected sources.
  • Do not click on links or download attachments in such emails.
  • Do not open email attachment with extension such as .js, .jar, .exe., and .pdf.
  • Disable VBA macro in Microsoft Office application.
  • Apply all recommended updates on your Operating System, programs like Adobe, Java, Internet browsers, etc.
  • Make sure that your Endpoint Security solution(EPS) software is up-to-date.
  • Take regular backups of your files.

Indicators of compromise

DHL Shipment Notification: 85482550044
ORIGINAL SHIPPING DOCUMENT.zip
ORIGINAL SHIPPING DOCUMENT.jar
F2727B26A75F9DF01E464B9144117AE1
B01F4758F4FD791B851D64FC16B56D08
vvrhhhnaijyj6s2m.onion[.]top
46.246.120.179

Subject Matter Experts
Pradeep Kulkarni, Prashant Kadam | Quick Heal Security Labs

 Previous Post6 Hidden IT risks in 2018
Next Post  Why Centralized Administration is an Important Security Tool?
Pradeep Kulkarni
About Pradeep Kulkarni

Pradeep Kulkarni is leading the IPS team in Quick Heal Technologies Limited. Having worked in the IT security industry for over 11 years, he has worked on various...

Articles by Pradeep Kulkarni »

Related Posts

  • Malware-as-a-service: Cybercrime’s nine-to-five

    Anyone, even you, can carry out cyberattacks with the Malware-as-a-Service model

    October 30, 2020
  • Masslogger’s malice imposes spying and keylogging in businesses.

    MassLogger: An Emerging Spyware and Keylogger

    July 31, 2020
  • Is your Router exposed to cyber threats

    Is your router exposed to cyber threats? Here is how to safeguard it.

    July 30, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • RAT used by Chinese cyberspies infiltrating Indian businesses RAT used by Chinese cyberspies infiltrating Indian businesses December 18, 2020
  • Benefits of having Intrusion Prevention/Detection System in your enterprise Benefits of having Intrusion Prevention/Detection System in your enterprise February 15, 2018
  • 5 Security measures you should take to protect your organization’s network 5 Security measures you should take to protect your organization’s network August 11, 2017

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Are we prepared against risks generating from the IoT revolution?

    Are we prepared against risks generating from the IoT revolution?

    January 15, 2021
  • Proactiveness is the key to resolving hybrid cloud’s security challenges

    Proactiveness is the key to resolving hybrid cloud’s security challenges

    January 6, 2021
  • How can EdTech companies deal with rising security challenges?

    How can EdTech companies deal with rising security challenges?

    December 24, 2020

Stay Updated!

Topics

Antivirus For Linux (10) Antivirus For Server (9) BYOD (9) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (274) cyber security (25) Cyber threat (29) cyber threats (44) Data (10) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) incident response plan (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (54) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.