eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
We provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Adversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters and Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.
We have discovered some of the most dangerous threats and nation state attacks in our space – including the Kaseya MSP breach and the more_eggs malware.
Our Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced Threat Analytics driven by our Threat Response Unit – the TRU team.
In TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We outline how we responded to the confirmed threat and what recommendations we have going forward.
Here’s the latest from our TRU Team…
What did we find?
Tax season is a critical time for organizations across all sectors, as the rush of tax document preparation and submission presents an opportunity for finance-themed cybersecurity threats. During this period, threat actors are particularly active, seeking to exploit the heightened urgency and volume of tax-related communications through various phishing strategies.
In early February 2024, the eSentire Threat Response Unit (TRU) uncovered a phishing campaign leveraging tax themes within the Business Services sector. This article explores two instances of such threats, each deploying JAVA-based RAT malware from distinct families: Ratty RAT and Sorillus RAT.
In the first observed phishing attempt, threat actors employed HTML smuggling (Figure 1).
Figure 1: Email containing the malicious HTML attachment
The HTML attachment contains a Base64-encoded blob that decodes to random text and the embedded URL hosting the malicious ZIP archive named “Tax_documents_PDF.zip” (MD5: a988632f9a684e4fccb7a905eba02f43) (Figure 2). The ZIP archive contains the JAR file, which we have determined to be Sorillus RAT (Remote Access Trojan).
You can read more about Sorillus RAT in our previous blogs here
and here.
Figure 2: Contents of HTML attachment
In the second case we analyzed, although the phishing email from the incident was not retrieved, our investigation uncovered a JAR payload within the ZIP file named “2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.zip” (MD5 checksum: 00b986c09855eedfe4deb72d0d2e048d).
This payload was identified as Ratty RAT, an open-source Java-based RAT developed by an individual known by the pseudonym “Sogomn”.
Figure 3: Ratty panel
Upon loading the RAT into the decompiler, we notice that the code is heavily obfuscated (Figure 4).
Figure 4: Obfuscated code
The method signature public static void startClient(String address, int port) {} is responsible for starting the RAT client with the address and port (Figure 5).
Figure 5: C2 IP and port
Part of the Ratty configuration can be observed in Figure 6, the threat actor can configure the chat and keylogger options.
Figure 6: Chat and keylogger values
The chat feature supports both text and voice communication with the infected machine (Figure 7).
Figure 7: Snippet of the class that is responsible for voice transmission
Ratty also has the capability for screen capture (Figures 8-9). The rendering capabilities are used to capture the screen contents.
Figure 8:Snippet responsible for graphical renderingFigure 9: Screenshot capture
The snippet in Figure 10 is responsible for downloading additional payloads from the internet using the user-agent “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Firefox/45.0”.
Figure 10: Snippet of code responsible for retrieving additional payloads from the internet
Apart from the mentioned features, Ratty is also capable of achieving and removing persistence via Startup and Registry Run Keys on the host, hiding the malicious file with “attrib +H %s”, restarting, and shutting down the host (Figure 11).
Figure 11: Additional Ratty capabilities
What can you learn from this TRU Positive?
This phishing campaign strategically targets various industries during tax season, leveraging the heightened activity and urgency associated with tax document handling. This timing increases the likelihood of successful phishing attempts as organizations are more likely to engage with tax-related communications.
HTML Smuggling enables attackers to bypass traditional email and web filters. By encoding malicious payloads within HTML attachments, attackers can evade detection mechanisms that rely on signature-based or known malicious pattern identification, demonstrating the need for multi-layered security solutions that include behavior analysis.
The discovery of different payloads, including Sorillus RAT and Ratty RAT within various ZIP files, underscores the diversity of tools at attackers' disposal. This variety can complicate detection efforts and indicates a potentially broader strategy involving deploying multiple redundancy and flexibility tools.
The identification of the Ratty RAT, a Java-based remote access tool, within one of the ZIP files highlights the ongoing threat posed by open-source malware. The use of such malware enables attackers to execute a wide range of malicious activities, from data theft to surveillance, underscoring the need for robust defense mechanisms.
The campaign's reliance on ZIP files for malware delivery and the subsequent execution of the Ratty RAT illustrate the necessity for operational security measures. These include educating users on the risks of opening unsolicited attachments and employing email scanning solutions to detect and isolate suspicious email attachments.
What did we do?
Our 24/7 SOC Cyber Analysts investigated the suspicious activities, notified the clients and isolated the affected devices.
Recommendations from our Threat Response Unit (TRU):
Ensure that all endpoints are protected with up-to-date antivirus software or Endpoint Detection and Response (EDR) tool capable of detecting and blocking malicious files.
If the Java Development Kit (JDK) or Java Runtime Environment (JRE) is not required for day-to-day operations or specific applications in use, consider uninstalling it from the systems.
The absence of JDK/JRE effectively prevents the execution of Java-based applications, including potentially malicious .JAR files, reducing the attack surface for cyber threats that leverage Java vulnerabilities or Java-based malware.
The eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your organization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7 Security Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. By providing complete visibility across your attack surface and performing global threat sweeps and proactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending your organization against known and unknown threats.
Cookies allow us to deliver the best possible experience for you on our website - by continuing to use our website or by closing this box, you are consenting to our use of cookies. Visit our Privacy Policy to learn more.
