JhoneRAT

The JhoneRAT is a Remote Access Trojan (RAT) that appears to have been developed from scratch, and its authors have not borrowed code from public RAT projects. The threat is written in the Python programming language, and its authors have opted to adopt a rather interesting technique to propagate the threatening application. They use the typical phishing emails accompanied by a corrupted email attachment that poses as an interesting document – in one of their emails, they claimed to have attached a list of leaked Facebook login credentials, while another email hosted a document that claimed to contain urgent information. In both cases, the user was prompted to enable the execution of macro scripts that would initialize the next stage of the attack.

If the user falls for the social engineering trick used by the attacker, the macro code embedded in the threatening document would download an additional Microsoft Office document from Google Drive and launch it. The use of 3rd-party service providers like Google Drive has been prioritized by the authors of the JhoneRAT since it allows them to mask their traffic as legitimate, and prevent anti-virus products from reporting the traffic as suspicious.

JhoneRAT Uses 3rd-Party Public Services as its Infrastructure

The secondary document that was downloaded contains an anti-VM check that works by checking if the victim's machine has a hard drive serial number – often, virtual machines do not have one, and this would enable the JhoneRAT to cease its attack. If it detects a serial number, the document will proceed to download a decoy image from Google Drive – the image in question has a hidden base64 encoded string attached to the end of the file. The string is then decoded, and extracted in the form of an AutoIT script, which fulfills the purpose of being a downloader for the final payload – this is once again fetched from Google Drive.

Attackers Go after Systems in the Middle East

The first thing that the JhoneRAT does when it infects a computer is to check what keyboard layout it is using – the RAT will run only if the victim uses a keyboard layout typical for Algeria, Libya, Egypt, Iraq, Saudi Arabia, Oman, Yemen, Kuwait, Bahrain, Lebanon, UAE, Tunisia and Morocco.

The authors have once again opted to rely on a legitimate online service to feed commands to the infected host – the JhoneRAT connects to a Twitter handle (suspended by Twitter) and checks the latest tweets from the account. The attackers appear to send out commands by tweeting the victim's unique ID, followed by the command that the JhoneRAT is meant to execute. Although the Twitter profile used to operate the RAT has been suspended, there is nothing to stop the attackers from using a new one.

JhoneRAT Exfiltrates Data via ImgBB and Google Forms

In terms of functionality, the JhoneRAT supports a very short list of commands, and all of them are executed with the assistance of 3rd-party service providers:

• JhoneRAT can grab screenshots, which are then uploaded to the ImgBB image hosting service.
• JhoneRAT can be commanded to grab an additional payload from Google Drive. The attackers use pictures with embedded code to disguise the threatening intentions of the file.
• JhoneRAT can execute a system command, and the recorded output will be published to a private Google Forms document created by the attackers.

The JhoneRAT is a project intended to target users in the Middle East exclusively. Its authors have focused on using public Web services to control the infected hosts and extract data for them, therefore allowing them to blend their fabricated network traffic with the legitimate one generated by the user's machine. It seems that JhoneRAT is a product of hackers with well-honed programming skills that are likely to have a lot of experience in the RAT-development field.