A day before the controversial United States Presidential elections, an email was distributed to inform the recipients of a possible attack during election day as mentioned in a manifesto, allegedly from the ISIS terrorist group, entitled “The Murtadd Vote”. The email was supposedly sent by the head of a US-based terrorist monitoring group. The message was a snippet from the article of USA Today, and has a ZIP archive called “The Murtadd Vote.zip”.
The attachment extracts to “The Murtadd Vote.jar”, which is an Adwind Remote Access Tool/trojan (RAT). Adwind RAT (or jRAT) is nothing novel. In fact, it has been available as a Malware-as-a-Service subscription for already 4 years now. The RAT is capable of keylogging, credential-stealing, and downloading and executing additional files on the infected host to name a few features.
What makes this threat slightly different from other RATs? It’s platform-independent, and so it runs basically on any device with Java Runtime Environment (JRE) installed. As seen below, the malware was able to successfully install a copy of itself as evgjyuBYuAY.WyhMVR in both Windows and Linux.
This particular sample phones home to invoicesheet[.]ddns[.]net:183, which resolved to 220.127.116.11 yesterday, and today to 18.104.22.168.
In Windows, it uses a VBS script to search for machine information, such as which firewall is being used. It writes onto the registries using a .REG file, and has the ability to disable UAC and kill several processes that are related to system monitoring, antivirus products, and debugging software.