{"id":8363,"date":"2017-07-16T23:20:15","date_gmt":"2017-07-17T07:20:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/16\/news-2137\/"},"modified":"2017-07-16T23:20:15","modified_gmt":"2017-07-17T07:20:15","slug":"news-2137","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/07\/16\/news-2137\/","title":{"rendered":"A technical analysis of the Java RAT (Remote Access Trojan) Malware"},"content":{"rendered":"

Credit to Author: Quick Heal Security Labs| Date: Mon, 17 Jul 2017 06:41:56 +0000<\/strong><\/p>\n

Remote Access Trojans are programs that allow attackers to gain unauthorized access to a targeted computer without the victim\u2019s knowledge. Java RAT malware is a Trojan-Dropper written in Java. It is designed to steal passwords, access files, for keylogging (recording what the user types on the keyboard) and for screen-capture. Information collected by a RAT is forwarded to a remote server controlled by the attacker. Distribution Method A Java RAT malware arrives via spam emails that contain malicious attachments (fig 1). Fig 1 How Java RAT gets into a system Once a JAR file is executed, it drops a copy of itself onto the below path with the name \u2018LyOCtxhwRyz.yrDUql\u2019 Path: %userprofile% YzQqKjGoxHz(Hidden Folder) For example,\u00a0 C:UsersPublicYzQqKjGoxHz Fig 2 The malware drops the following files: C:UsersPublicYzQqKjGoxHzID.txt C:UsersPublicAppDataLocalTempOlfYXmVqfL9024669788070560515.reg %temp%Retrive2638932198378221530.vbs %temp%\/ _0.354484486304158635925511204328476438.class %Application Data%Oracle (Contains copy of files from java installation folder) It creates the following folders: C:UsersPublicYzQqKjGoxHz (Contains copy of actual malware i.e JAR file) C:UsersPublicfUTkALeaTxM The below registry entry dropped by the malware is used to launch itself every time the system boots and download the executable file to infect the system. Fig 3 The malware adds the below registry entries to disable security solutions and different analysis tools. [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsprocexp.exe] “debugger”=”svchost.exe” [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionswireshark.exe] “debugger”=”svchost.exe” [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution OptionsSCANNER.EXE] “debugger”=”svchost.exe” Quick Heal Detection Quick Heal real-time protection detects the JAR file and its component as \u2018Trojan.JAVA.Agent.JRAT\u2019 and \u2018Trojan.JAVA.Agent.JJ\u2019 Fig 4 Security measures to stay away from Java RAT Do not click on links or download attachments that arrive in emails from unwanted or unexpected sources. Apply recommended security updates for your computer\u2019s Operating System and all other programs such as Adobe, Java, Internet browsers, etc. Use an antivirus software that gives layers of protection against infected emails and malicious websites. Keep the software up-to-date. Take regular backups of your important data. Free software, especially those with unverified publishers are usually used by attackers to spread malware. Always go for genuine and licensed software.   ACKNOWLEDGMENT Subject Matter Expert Anita Ladkat | Quick Heal Security Labs
http:\/\/blogs.quickheal.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Quick Heal Security Labs| Date: Mon, 17 Jul 2017 06:41:56 +0000<\/strong><\/p>\n

Remote Access Trojans are programs that allow attackers to gain unauthorized access to a targeted computer without the victim\u2019s knowledge. Java RAT malware is a Trojan-Dropper written in Java. It is designed to steal passwords, access files, for keylogging (recording what the user types on the keyboard) and for screen-capture….<\/p>\n

The post A technical analysis of the Java RAT (Remote Access Trojan) Malware<\/a> appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10459,10378],"tags":[13045,3764,11875,714],"class_list":["post-8363","post","type-post","status-publish","format-standard","hentry","category-quickheal","category-security","tag-java-rat-malware","tag-malware","tag-remote-access-trojan","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8363"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8363\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8363"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}