Worryingly, it’s a cross-platform affair: the RAT not only affects Windows PCs, but also Linux, Mac OS X, FreeBSD, OpenBSD and Solaris computers.
According to Symantec, it all started on February 13 with the payment emails, which also ask the user to confirm that they have received them. And of course, the emails actually contain a malicious attachment – in this case with the file name Paymentcert.jar, detected as Trojan.Maljava.
Symantec researchers explained in an analysis that if the trojan is executed, it will drop JRAT, detected as Backdoor.Jeetrat, on the compromised computer.
The offensive appears to be highly targeted, unlike some spam campaigns, and is going after specific individuals. There are low victim numbers, a unique dropper, only one command-and-control (C&C) server and the fact that the majority of these spam messages were sent to personal email addresses – all signs that there’s a method and a purpose behind the attack.
JRAT lends itself for small-batch attacks like this. “This RAT is not new, as we have seen it in previous targeted attacks,” the firm said. “JRAT’s builder shows just how easy it is for an attacker to create their own customized RAT.”
In general, of course, RAT campaigns aren’t rare anymore. Their prevalence has increased in the past few years and they have continued to target both enterprises and individuals.
“The popularity of these campaigns isn’t surprising, as if an attacker successfully infects a victim’s computer with a RAT, then they could gain full control of the compromised computer,” Symantec noted. “Along with this, these threats aren’t limited to one operating system, as in theory, they focus on any computer that runs Java. Attackers have easy access to Java RATs thanks to the fact that a handful of these RATs’ source code is being openly shared online.”
As always, users should be on their guard when they receive unsolicited, unexpected or suspicious emails.