When threat actors bundle two or more malware families in one campaign, they gain broader capabilities. Cofense Intelligence™ recently analyzed a phishing campaign delivering both jRAT and H-Worm remote access trojans. jRAT, aka the Java Remote Access Trojan, has the primary role of remotely controlling a victim’s machine. H-Worm, also known as Houdini Worm, operates as a remote access trojan but has worm-like capabilities, such as propagating itself on removable devices like a USB.
Using a generic phishing lure pertaining to an invoice, the email below contains two attached .zip archives: one with a VBScript application and the other a .jar Java application.
Figure 1: Phishing lure delivering jRAT and H-Worm
While the .jar file is a sample of jRAT, it also drops a copy of H-Worm on the infected machine. The VBScript file is tasked with downloading a Java Runtime Environment (JRE), if it is not already on the machine, which allows the .jar file to run. This VBScript file is a sample of H-Worm. The delivery is unusual compared to older analyses of H-Worm with jRAT, which typically consists of a single payload used to facilitate the infection of both H-Worm and jRAT (and sometimes H-Worm with other malware families).
Two RATs, One Infection
Disseminating two similarly functioning malware families in a single infection is not a new tactic. Threat actors do this to exfiltrate more valuable information and to carry out additional tasks that support further infection or monetization. Some of the functions and capabilities of H-Worm and jRAT are shown below.
Figure 2: Distinct functions and similarities of H-Worm and jRAT
Each remote access trojan serves a specific purpose, such as keylogging, monitoring audio or video, or modifying the registry. At the end of the day, the specific malware or number of malware families used in a single infection cycle does not matter to the threat actor as long as there is a better chance for a successful infection. In the end, all that matters to the threat actors is if they were able to exfiltrate the information they seek.
However, for many attackers, the outcome of a successful infection also relies upon the successful delivery of a phishing email. Threat actors will continue to develop new tactics, techniques, and procedures (TTPs) to lure their intended targets. The first step to avoid an infection like the one above is to recognize and report suspicious messages. Educating computer users to identify suspicious emails can help your organization stop an attack on your infrastructure.
Learn how Cofense PhishMeTM conditions users to recognize active phishing threats.
All third-party trademarks referenced by Cofense™ whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks.