IceRAT Malware

IceRAT Malware Description

IceRAT is a peculiar malware strain that exhibits some rarely, or possibly never-before-seen, characteristics. The main aspect that sets this threat apart from the rest is that it is written in JPHP, a PHP implementation running on Java VM. Instead of the common Java .class files, JPHP uses .phb files. This makes a drastic difference in the detection of the threat as the number of anti-malware solutions that support .phb is extremely low. As for the capabilities of the threat, despite IceRAT literally having RAT (Remote Access Trojan) in its name, it acts as more of a backdoor malware and not one that gives the attacks remote control over the compromised system. It should be noted that being written in JPHP also created some unique challenges for the infosec researchers who tried to analyze the threat as there are no readily available tools capable of decompiling JPHP code.

IceRAT's architecture also is chosen as a method to reduce potential detection. Instead of putting all of the threatening functionality in just one file, the hackers responsible for the threat designed it as a collection of several individual components, each tasked with the execution of a signal function. Indeed, if the download component is discovered; for example, it could be overlooked without the context of the threatening payload, the file may appear as benign.

The attack chain of the IceRAT infection is rather complex, involving multiple stages and several droppers. The initial stage sees the delivery of a self-extracting WinRAR archive named Browes.exe onto the targeted system. When executed, the archive drops and starts a Windows Cabinet file named '1.exe,' which is another dropper that in turn delivers two files - a setup file for the CryptoTab software and a threatening downloader named 'cheats.exe.' It is believed that the CryptoTab software, although possessing cryptomining capabilities, is delivered on the target to act as a decoy. The 'cheats.exe,' on the other hand, is the agent that finally fetches and deploys the main component of IceRAT Malware - klient.exe. The file will be dropped in three separate locations:

  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\.<name>.exe
  • c:\Windows\Temp\.<name>.exe
  • d:\Windows\Temp\<name>.exe

IceRAT established a connection with its Command-and-Control infrastructure and, if successful, proceeds to fetch a multitude of additional malware modules. It deploys a collector capable of harvesting credentials from a multitude of Web browsers: Chrome, Firefox, Chromium, Yandex, Filezilla, Amigo, kometa, K-Melon, and Orbitum. The threat delivers a crypto-miner by first fetching a coinminer downloader on the target. An additional component is initiated to establish a communication channel with the threat actor via Telegram.

While several of the threatening components of IceRAT are written in more common programming languages and can be easily picked up by anti-malware solutions, the fact remains that the main module's exotic JPHP language results in extremely low detection rates.