A malicious multi-platform Java applet called jRAT posing as an emailed attachment about the US National Security Agency’s surveillance campaign is being used in a spy campaign against government agencies.
Security researchers at Symantec have discovered a malicious backdoor Java applet that does not exploit a weakness in Java to compromise a victim’s PC, but rather contains a payload that is a malicious Java remote access tool (RAT).
While Java malware is not unheard of, the Java spy tool packaged in a phishing email is nonetheless “quite unusual”.
“This campaign is targeting government agencies by sending phishing emails with a malicious attachment. Nothing new so far, except for one thing: the malicious payload is a Java remote access tool (RAT),” wrote Symantec engineer Andrea Lelli on Friday.
The distribution of jRAT is most heavily concentrated in the US, followed by Canada, Australia and Europe.
Called jRAT, the malicious .jar attachment is titled “US National Security State” and is contained in an email with the subject header “Obama’s Data Harvesting Program and PRISM”.
The attachment is coupled with two other PDF documents supposedly also containing details about PRISM, however these are benign.
jRat’s builder control panel suggests it is designed not only to target Windows, but also Linux, Macs, FreeBSD, OpenBSD and Solaris, according to Symantec engineer Andrea Lelli, though Symantec has only verified the threat against Windows.
On the other hand, Lelli notes that because it is a Java applet the threat is able to run on multiple systems.
The trojan opens a backdoor to a victim’s computer and connects to the domain www.microsoftupdate.freeTCP.com, a site some AV vendors list as a malware site.
Symantec has labelled the threat Backdoo.Jeetrat and says the trojan can take screenshots; visit URLs in the browser; access the file system to read, write, or delete files; download and execute files; run arbitrary commands; shutdown the computer; logout accounts; and launch network floods to a remote target.
Using a Java applet as the payload is a new trick from a group that previously operated a campaign using attack RTF documents that exploited the Windows Common Controls ActiveX Control Remote Code Execution Vulnerability (CVE-2012-0158) in Office and other Microsoft products. Exploits were discovered circulating in the wild shortly after Microsoft’s April Patch Tuesday last year.
Symantec’s Lelli noted that the new Java applet payload without an exploit both simplified the attack and gave it a broader potential install-base since its only requirement is that the Java runtime is installed on a victim’s machine.
“The same attackers were previously using the usual attack method of sending malicious documents that exploit some vulnerability in order to drop an executable payload but recently shifted to sending malicious Java payloads directly. The attack has been simplified as it does not involve the use of an exploit, nor an executable shellcode/payload, but simply relies on a Java applet,” Lelli wrote.
Another information-stealing Java Autorun Worm called Java.Cogyeka was discovered in July last year and was still active at the beginning of July this year.