IceRat evades antivirus by running PHP on Java VM

Command and Control

Although the name IceRat indicates a remote access trojan, the current malware is better described as a backdoor. Features for actual remote control, e.g., moving the mouse or typing the keyboard, are missing.

The command and control happens by periodically checking the contents of certain files on the malware server. E.g. klient.exe[5] will check the content of the file hxxp://malina1306.zzz.com.ua/dow_stil.txt. If that file contains a line that matches the string :::: for the infected system (see image below), klient.exe will download the stealer[6] from hxxp://malina1306.zzz.com.ua/stel.exe and save it to c:WindowsTemp.Browser.exe.

Similarly, a coinminer downloader[7] will be obtained if hxxp://malina1306.zzz.com.ua/dow_klip.txt has a corresponding line for the infected system. It will be downloaded from hxxp://malina1306.zzz.com.ua/klip.exe to c:WindowsTemp.Chrome.exe.

The file 1.exe[12] is downloaded from hxxp://malina1306.zzz.com.ua/1.exe or hxxp://bests.zzz.com.ua/1.exe and saved under a randomly generated name by creating a random number between 10000 and 1000000. The resulting file location is c:WindowsTemp..exe. This component communicates via Telegram to the malware operator.

Two more files are referenced in klient.exe but don’t exist anymore: hxxp://malina1306.zzz.com.ua/min.exe would be downloaded to c:WindowsTemp.Jawaw Se binar.exe. hxxp://malina1306.zzz.com.ua/klog.exe would be downloaded to c:WindowsTemp.Windows Push.exe. Based on the filenames one would assume that min.exe should be the coinminer whereas klip.exe rather sounds like a clipbanker. But that was not provided by the server. klog.exe might have been a keylogger.

Continue reading

This post was originally published on this site