Someone decompiled the jar at https://bitbucket.org/indistic/rat/src
It's a trojan that turns your machine into a bot.
From what I see from the source code...
It connects to a remote server, logins with the credentials that are in its config.xml
Then it waits for orders.
There are several commands. You can see in the options folder.
- pop up some message window
- execute arbitrary system commands,
- execute code that it sends to you,
- upload a plugin, i.e. new code to enhance its functionality
- browse to a url
- upload a screenshot
Yeah ... it's pretty bad.
--h
Topic: Beware! MultiPlatform Malware Try To Steal Your Wallet (Read 3607 times)
Wait - let me get this straight - you got an email with an executable attachment - and you ran it?
Um.
*walks away from computer*
Um.
*walks away from computer*
And.....
Then goes on to say "I use GNU/Linux and even GNU/Linux are vulnerable!"
It's unrecom aka adwind rat.
"I downloaded and run the attachment ...."
there i stopped reading.
there i stopped reading.
I've gotten emails like this too, only it hasn't been anything to do with Bitcoin (so far). I'm sorry you had to learn this lesson the hard way. This is why I don't like downloading anything that has a .tar.gz, .RAR or .EXE extension unless it's from the official website and I know exactly what it's supposed to do. If you just get an email from somebody claiming to be a service you use out of the blue, open another tab on your browser and go DIRECTLY to the official website so you can see what's really going on.
I did not want to ask.
I wanted to run in a VM under ubuntu on a newly formatted laptop without personal data. I wanted to analyze it, do some network captures and putting infected files on my VM. But I read "this RAT actually checks if virtualbox is installed and running, and exits if it is. So it tries to evade analysis That Way." and do not understand what this means.
As I can analyze it?
Any tool?
I wanted to run in a VM under ubuntu on a newly formatted laptop without personal data. I wanted to analyze it, do some network captures and putting infected files on my VM. But I read "this RAT actually checks if virtualbox is installed and running, and exits if it is. So it tries to evade analysis That Way." and do not understand what this means.
As I can analyze it?
Any tool?
You need to install Java Runtime Enviroment on your Virtual Machine. This RAT will not work without Java Runtime Enviroment.
more information can be found here www.reddit.com/r/ReverseEngineering/comments/2291z8/how_badly_did_i_get_owned/
can i open it in a VM to see what happens?
?
?If you need to ask...
NO!
Really, when analysing malware, if you don't know exactly what you're doing and that you're doing it safely, don't do it at all!
Onkel Paul
I did not want to ask.
I wanted to run in a VM under ubuntu on a newly formatted laptop without personal data. I wanted to analyze it, do some network captures and putting infected files on my VM. But I read "this RAT actually checks if virtualbox is installed and running, and exits if it is. So it tries to evade analysis That Way." and do not understand what this means.
As I can analyze it?
Any tool?
can i open it in a VM to see what happens??
?If you need to ask...
NO!
Really, when analysing malware, if you don't know exactly what you're doing and that you're doing it safely, don't do it at all!
Onkel Paul
can i open it in a VM to see what happens??
?
Java disassembler doesn't help much, because this malware is obfuscated by Allatori (a java obfuscator).
Some interesting discussions are going on here:
http://forum.blockland.us/index.php?topic=261243.msg7644049#msg7644049
Some interesting discussions are going on here:
http://forum.blockland.us/index.php?topic=261243.msg7644049#msg7644049
I got an email titled "OKCoin Invoice" today with the same malware attached. It seems the malware is being widely spread.
Tried on Windows 8.1
On Windows 8.1 The JAR file Run on single double-click without any warnings. No need to mark it as executable first. Anti Virus also doesn't show any warnings. I use Panda Internet Security 2014, latest update and no warning at all.
The malware installed itself on this Directory
Using Super Hidden Attribute, you can't see the file. Even you will not find FolrderName folder if you don't reveal it using attrib -s -h /s /d command. Turning on show hidden items doesn't reveal the malware.
The malware start itself up when infected user log in. You can view it on Task Manager under Start-up Tab, there is Java there.
Also the malware create a directory in C:\Users\<username>\.RsPJzZlzez
To manually remove, disable the start-up process and Delete that hidden folder (you have to use attrib -s -h /s /d command to reveal it)
On Windows 8.1 The JAR file Run on single double-click without any warnings. No need to mark it as executable first. Anti Virus also doesn't show any warnings. I use Panda Internet Security 2014, latest update and no warning at all.
The malware installed itself on this Directory
Using Super Hidden Attribute, you can't see the file. Even you will not find FolrderName folder if you don't reveal it using attrib -s -h /s /d command. Turning on show hidden items doesn't reveal the malware.
The malware start itself up when infected user log in. You can view it on Task Manager under Start-up Tab, there is Java there.
Also the malware create a directory in C:\Users\<username>\.RsPJzZlzez
To manually remove, disable the start-up process and Delete that hidden folder (you have to use attrib -s -h /s /d command to reveal it)
I have been away since my last (failed traiding > left bitcoins untouched till they were worth millions > decided they were safe in mtgox > lost em all)
Leaving that behind, i just got an email from "[email protected]" saying:
Attached it has a file named "invoice_btc487744.jar
Since i no longer mine, and i have not been on that pool for ages, i knew i had no btc there.
Then again, a .jar CANOT bean invoice
Leaving that behind, i just got an email from "[email protected]" saying:
Quote
Dear User
Successful authorization.
0.758484 BTC Has been Send To another account
To show invoice , Download From Attach
Regards,
Administration of btcguild.com
Successful authorization.
0.758484 BTC Has been Send To another account
To show invoice , Download From Attach
Regards,
Administration of btcguild.com
Attached it has a file named "invoice_btc487744.jar
Since i no longer mine, and i have not been on that pool for ages, i knew i had no btc there.
Then again, a .jar CANOT bean invoice
May I have the JAR file? Probably the same malware as I have.
I also found a hidden folder RsPJzZlzez that contains three binary file. I open it using Hex Editor and found strings like wallet.dat, multibit.wallet. Even DogeCoin and many other alt coin are targeted.
____________
How to steal from web wallet? Phishing site
How to steal from desktop wallet? Trojan horse
I have been away since my last (failed traiding > left bitcoins untouched till they were worth millions > decided they were safe in mtgox > lost em all)
Leaving that behind, i just got an email from "[email protected]" saying:
Attached it has a file named "invoice_btc487744.jar
Since i no longer mine, and i have not been on that pool for ages, i knew i had no btc there.
Then again, a .jar CANOT bean invoice
Leaving that behind, i just got an email from "[email protected]" saying:
Quote
Dear User
Successful authorization.
0.758484 BTC Has been Send To another account
To show invoice , Download From Attach
Regards,
Administration of btcguild.com
Successful authorization.
0.758484 BTC Has been Send To another account
To show invoice , Download From Attach
Regards,
Administration of btcguild.com
Attached it has a file named "invoice_btc487744.jar
Since i no longer mine, and i have not been on that pool for ages, i knew i had no btc there.
Then again, a .jar CANOT bean invoice
I am n00b in programming. Could anyone who understand Java tell me what the malware does?
On Windows XP it Run on Single double-click without any warning.
It install itself on C:\Document and Settings\<username>\Application Data\FolrderName with supper hidden attribute. And Automatically run on startup using System Configuration Utility (msconfig).
It install itself on C:\Document and Settings\<username>\Application Data\FolrderName with supper hidden attribute. And Automatically run on startup using System Configuration Utility (msconfig).
Wait - let me get this straight - you got an email with an executable attachment - and you ran it?
Um.
*walks away from computer*
No. He got an email with attachment. He saved the attachment and changed the saved .jar file permissions to 'executable'. Then he ran the file.Um.
*walks away from computer*
What more to say...
Wait - let me get this straight - you got an email with an executable attachment - and you ran it?
Um.
*walks away from computer*
Um.
*walks away from computer*
Thank you for pointing out, it could be key-logger, most probably.
Kindly, use sandbox before playing with any suspicious file.
Kindly, use sandbox before playing with any suspicious file.
Jump to: