#adwind

Been thinking a lot about Noir and Gilbert (Noibert…….)

jRAT (also known as Adwind) is, as the name suggest, a RAT. This is a type of computer malware that is probably the worst type to get infected by, as the acronym stands for Remote Access Trojan, meaning the attacker behind the infection will have complete control of your computer remotely. The attacker can, for example, log everything you type (including passwords), spy through the webcam, download and upload files from your computer, stop programs from running, and more.

In this post I will write specifically about how jRAT works, but the purpose of the malware is the same as any RAT - spying and stealing information. And don't worry, you won't need a computer science background of any kind to understand this post!

As with many other malware infections, they start by the user initiating the infection chain, thinking it is something else. This is where the "Trojan" part comes in, as in the Trojan Horse - You think you are opening one thing, for example an invoice or shipping confirmation in an email, but it is actually the malware you are starting up. It can arrive as an attachment asking for payment, a link in an email that seems to be from DHL with a package tracking number... The lures are many and sometimes very well made.

jRAT is depending on having Java installed, as the initial malicious file will run on Java, and its file will have an .jar-extension. It will start by establishing contact with a so-called "C&C" (Command and Control) server, which I have written more about in this post, but it is in short like a secret meeting place on the internet where malware go to fetch further instructions or files. one of the reasons for doing this is that it makes it harder for antivirus software to stop it. Once it has made contact with the C&C, it will immediately replace itself with the newest version and fetch three new files with different purposes. All of the will be located under the folder AppData/Local/Temp/, which is common for malware as it's kind of an all-purpose location, hiding in plain sight among other random files. The fetched files are:

1. A .class-file with a random name, for example _0.57339082331822999210753159459375475.class - this is the main malware "body" and is actually a .jar (Java) file, and it is responsible for all the control the attacker will have of your computer. It will also drop a copy of itself under the user folder, which is later used for persistence (I will go into this part later).

2. VBS-files (Visual Basic Script, a kind of scripting language made by Microsoft and is commonly used with Windows software) with random names, for example HOMgGlvQhbNYUpH8623951051131488128.vbs - these files will check the system for any antiviruses and other security products installed. Kind of like checking the perimeter for guards.

3. A .reg-file also under the same location and a random name such as cYlDEVVYAP4997887052104582959.reg - these will execute via reg.exe Windows process to create registry entries. The Windows registry is kind of a library for software, where settings and information software use is stored and referred to. Here jRAT will create entries of known antivirus, analysis and security products, for example Malwarebytes antivirus. The purpose of all these entries is so that whenever the system detects a new program started and it is in this registry list, it will immediately be stopped. So most of the tools available that could remove or analyse this infection will no longer start up or work.

Additionally, once the infection is complete and jRAT is landed safely in your system, it will create assistance files that provides the many spying functionalities of jRAT. They are all named “Windows” followed by 19 random digits, to appear like they are part of the system and avoid being deleted.

Now, returning to what I said about persistency: In malware terms, "persistency" means "how the malware will start up again whenever the computer is restarted, without user interaction or knowledge". There are many ways to achieve this, and here's how jRAT does it; since it is depending on Java to run, it will add Java to the Windows Auto Run registry collection. Windows looks into this part of the registry whenever your computer is started to see which programs it will run immediately on start-up, which is why you have programs like Spotify, Skype and Steam popping up in your face first thing in the morning. Additionally, in this auto run registry entry, it will also tell java that it should run the jRAT "body" file stored in the user folder under another randomly named folder. And as simple as that, jRAT will now run whenever you start up your computer

Happy Pride! Noir has a situationship going on now 🏳️‍🌈