JhoneRAT Description

The JhoneRAT is an impressive RAT (Remote Access Trojan) whose activity has spiked recently. After studying this threat, malware analysts concluded that it has likely been built from the ground up. This is not unusual, but many authors of RATs prefer to borrow the code of existing threats instead of building a tool from scratch. According to the experts, the JhoneRAT is written in the Python programming language.

Propagation Method

The JhoneRAT is being distributed with the help of spam email campaigns. This is a very popular propagation method when it comes to spreading malware. Usually, the spam emails would contain a corrupted attached file. This is the case with the JhoneRAT too. The attachments used in the propagation of the JhoneRAThave two types – one claims to be an important document that has to be opened urgently, while the other states that it is an archive containing Facebook login credentials that have been leaked. If the users fall for this trick an open the attached file, they will trigger the execution of the next step of JhoneRAT’s attack.

Avoids Detection by Anti-Malware Tools

The authors of the JhoneRAT use a very clever trick to mask the unsafe activity of this threat. Upon compromising the targeted system, the JhoneRAT would also download another Microsoft Office document that is hosted on Google Drive. Once downloaded, the document will be launched on the system. The attackers have made sure that using third-party applications (like Google Drive) is prioritized. This helps the authors of this RAT to disguise the activity of the threat and trick security tools into listing it as legitimate.

Self-Preservation Techniques

The additional document that the JhoneRAT fetches from Google Drive carries a module that is capable of scanning the infiltrated system for the presence of a hard drive serial number as computers that are utilized for malware debugging often lack such. This means that the JhoneRAT is able to detect whether it is being run in a sandbox environment or a regular computer. If the scan determines that the system is not used for malware debugging, the JhoneRAT will proceed with the attack and fetch an image from Google Drive.

Targets Users from the Middle East and North Africa

The image that the JhoneRAT would download contains a masked string that is encoded with base64. Next, the JhoneRAT would decode the string in question and extract it as an AutoIT script. This script serves as a downloader whose goal is to grab the last payload hosted on Google Drive. Next, the JhoneRAT would proceed with the attack by checking the keyboard the victim is using. The JhoneRAT will only continue the campaign if it detects that the victim is using a keyboard that is typical for Iraq, Saudi Arabia, Libya, Kuwait, Lebanon, UAE, Morocco, Tunisia, Oman, Egypt, Bahrain, Yemen or Algeria.

Interestingly enough, the JhoneRAT receives commands via a Twitter profile. This threat would connect to the Twitter account in question and run through all of its most recent tweets. According to cybersecurity researchers, the JhoneRAT’s creators tweet out commands that are intercepted by the RAT and executed accordingly. Twitter has since waved the account in question. Unfortunately, the authors of the JhoneRAT can create a new Twitter account and continue their campaign easily.


The JhoneRAT relies on third-party applications to execute its commands. This threat can take screenshots of the victim’s desktop and active windows. The data is then transferred to an image hosting service called ImgBB. The attackers also can command the JhoneRAT to download and execute additional payloads from Google Drive. The authors of the JhoneRAT also can use it to execute a system command. The output recorded as a response is placed in a Google Forms document that is private and thus accessible only to the attackers.

Despite the relatively short list of capabilities that the JhoneRAT possesses, the fact that this threat can mask its made-up traffic using legitimate services makes it rather threatening because anti-virus tools may not be able to spot it. It is likely that the authors of the JhoneRAT are very experienced and highly-skilled.