IceRAT Malware
The IceRAT Malware is a peculiar cyber threat whose author has adopted an innovative way to create the payload. They are using a programming language known as JPHP – the special thing about this language is that it runs PHP code inside a Java Virtual Machine (VM.) This is not efficient in terms of performance, but it might help the IceRAT Malware stay undetected by outdated anti-virus software. Furthermore, the IceRAT Malware is made even more undetectable by the fact that its code is split into several small components, which are loaded separately. The use of individual components may make some of the IceRAT Malware's modules seem harmless, but they become very threatening when used together.
Innovative JPHP Malware also Features a Modular Structure
IceRAT Malware's modules are downloaded after the primary client is executed on the compromised computer. The names of the downloaded modules are:
- Min.exe – a miner component.
- 1.exe – used to communicate with the attacker via Telegram.
- Klog.exe – believed to be a keylogger.
- Stel.exe – infostealer.
- Cheats.exe – Trojan downloader.
- Klip.exe - believed to be a clipboard collecter.
- Winlogin.exe – a miner component.
The IceRAT Malware uses an interesting check to determine what components it should download and run on the compromised system. The primary module will connect to the domain malina1306.zzz.com.ua and check the files 'dow_stil.txt' and 'dow_klip.txt' for the presence of a string, which matches the following pattern – <MAC ADDRESS>:<OPERATING SYSTEM>:<RAM>:<PROCESSOR>:<USERNAME>. This is a unique identifier for each compromised computer, and the attacker can add it manually to the two files mentioned above. If a match is found, the IceRAT Malware will proceed to download either the 'klip.exe' or 'stel.exe' modules.
The collector module of the IceRAT Malware targets Web browsers like Mozilla Firefox, Google Chrome, K-Melon, Amigo, Yandex, Kometa, and others. It also goes after the FileZilla FTP client. On the other hand, the cryptocurrency miner hides under the name 'winlogin.exe' and mines for Monero.
Thankfully, the IceRAT Malware does not appear to be widely spread, and, so far, the majority of the victims are concentrated in Eastern Europe. While the techniques used to create the IceRAT Malware are certainly innovative, you can rest assured that up-to-date anti-virus products can keep you safe from this threat's unsafe activities. The Crutch Malware is believed to be part of the arsenal of the Turla hacking group, a Russian Advanced Persistent Threat (APT) actor specializing in attacks against government entities and companies operating in the education, medical, and energy industry. Their latest project, the Crutch Malware, was discovered on the systems belonging to a government part of the European Union, and it seems to work as both a backdoor Trojan and a covert infostealer. The low detection rate of the Crutch Malware is likely a sign that the malware is being used against very few selected targets, therefore allowing it to stay undetected for longer.
The modus operandi of the Crutch Malware appears to be flexible. While the malware is capable of searching for specific types of documents (RTF, DOC, DOCX, and PDF) automatically, it also allows the remote operator to control it manually. Regardless of the technique used, the Crutch Malware always extracts files in the same manner – it compresses them to a ZIP archive and then uploads them to a Dropbox account controlled by the hackers. Apart from scanning the hard drive of the compromised system, the Crutch Malware also can check removable storage devices for the presence of the targeted files.
The Turla hackers have over a decade of experience in the field, and the Crutch Malware is just one of the many implants they use. Cybersecurity experts believe that the Crutch Malware does not work as a first-stage backdoor and, instead, it was installed after the criminals had managed to infiltrate the victim's network via a different piece of malware. Using a legitimate service like Dropbox to exfiltrate collect data is a simple trick to make the harmful activity blend with legitimate network traffic, as not to raise any suspicion.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.