Spammers are spreading Java-based remote access Trojans, known as jRATs, targeting tax filers with attachments named “IRS Updates.jar” and “Important_PDF.jar” that, if executed, give attackers access to compromised endpoints.
Zscaler, which is tracking the jRATs, believes some of the campaigns could be related to the Loki Trojan, used in attacks against Android phones last month.
“Malware continues to draw in unsuspecting victims by using current issues and relevant events of the day to capture people’s attention and interest,” wrote Sameer Patil, a security researcher at Zscaler.
The warning comes the day before the April 18 tax deadline and adds to an already busy season of income tax-related scams reported by various security experts and the U.S. Internal Revenue Service. In March, Microsoft said a bevy of phishing campaigns using tax scams to spread Zdowbot and Omaneat banking Trojans.
With one click, users can become victims of a jRAT, Patil wrote. Those who make the mistake of opening the attachment run the risk of making themselves and their corporate networks vulnerable to attack, he said.
“The jRAT payload is capable of receiving commands from a C2 server, downloading and executing arbitrary payloads on the victim’s machine. It also has the ability to spy on the victim by silently activating the camera and taking pictures,” Pail wrote.
The use of Java-based RATs is not unique. However, they stand in contrast to other recent RATs found in the wild such ROKRAT, that exploited an EPS vulnerability, and the SpyNote RAT, that targeted Android devices.
Patil noted the level of obfuscation used by one jRAT sample, where the author made it difficult to decompile and understand its code. If the recipient opens the malicious Java archive (JAR) attachment, a VBScript places a file named “Retrive<Random number>.vbs” in the Windows “%APPDATA%” directory, he described. Next, the dropper runs a check for the presences of antivirus or firewall software.
“The JAR file… is just a dropper and decrypter for the main jRAT file,” Patil said. “It basically contains the jRAT sample in an encrypted form.” According to researchers, the encryption used is via an embedded AES key, which is encrypted using an RSA key.
Communication to a C2 server was via an encrypted configuration file that contains details for the bot to communicate. Persistence on the host was achieved via an auto-start registry entry that launched at system reboot. Attackers used a hardcoded URL (workfromhomeplc[.]ru/dmp/PO%233555460.exe) to download additional malicious executables.
At the time of analysis, the URL was not active, however researchers noted the URL was also used to host the Loki Trojan.
Last month, mobile devices manufactured by a diverse set of handset makers were discovered to be loaded with malware pre-installed somewhere along the supply chain. Six of the devices were found infected with the Loki Trojan, a malicious ad network that’s been in circulation for more than a year. Loki can display ads to generate revenue, has mechanisms to maintain persistence, and it can intercept communication and exfiltrate data from an Android device.