A RAT For The US Presidential Elections

A day before the controversial United States Presidential elections, an email was distributed to inform the recipients of a possible attack during election day as mentioned in a manifesto, allegedly from the ISIS terrorist group, entitled “The Murtadd Vote”. The email was supposedly sent by the head of a US-based terrorist monitoring group. The message was a snippet from the article of USA Today, and has a ZIP archive called “The Murtadd Vote.zip”.

mail

The attachment extracts to “The Murtadd Vote.jar”, which is an Adwind Remote Access Tool/trojan (RAT). Adwind RAT (or jRAT) is nothing novel. In fact, it has been available as a Malware-as-a-Service subscription for already 4 years now. The RAT is capable of keylogging, credential-stealing, and downloading and executing additional files on the infected host to name a few features.

manifest

What makes this threat slightly different from other RATs? It’s platform-independent, and so it runs basically on any device with Java Runtime Environment (JRE) installed. As seen below, the malware was able to successfully install a copy of itself as evgjyuBYuAY.WyhMVR in both Windows and Linux.

windows_linux

This particular sample phones home to invoicesheet[.]ddns[.]net:183, which resolved to 163.47.20.25 yesterday, and today to 103.25.58.83.

In Windows, it uses a VBS script to search for machine information, such as which firewall is being used. It writes onto the registries using a .REG file, and has the ability to disable UAC and kill several processes that are related to system monitoring, antivirus products, and debugging software.

regentries

IOCs:

  • 80b83ff63adce9ee3ef593ef92eb6fb8eebe431d
  • f9143d7ff3d7651155e7164093722d2eba25bd13 (DeepGuard Kavala.O)
  • dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
  • 8a50c72b4580c20d4a7bfc7af8f12671bf6715ae
  • invoicesheet.ddns.net
  • 163.47.20.25
  • 103.25.58.83


Articles with similar Tags