News

Java Remote Access Tool Used In PRISM Phishing Attack Targeting Gov't Workers

• By John K. Waters
• July 10, 2013

An attack campaign focused on government agencies is employing phishing e-mails to deliver a malicious payload containing a Java Remote Access Tool (RAT) called jRAT, Symantec's Andrea Lelli has disclosed.

RAT is a Java applet that, when downloaded, can provide full control of a compromised computer to a remote attacker.

The phishing e-mails claim to be about the U.S. National Security Agency's (NSA's) PRISM surveillance program; the subject header reads: "Obama's Data Harvesting Program and PRISM." They include three attachments: two non-malicious PDFs and one titled "US National Security State" containing the malicious code.

"As we all know, cybercriminals tend to use recent hot media topics to entice users," Lelli wrote. "In the case of this campaign they are using the recent news coverage surrounding the NSA surveillance program PRISM."

Lelli said the new attack employs a modified version of malware used in a previous attack, which Symantec identified as Bloodhound.Exploit.457. This version is available for free, and Symantec detects it as Backdoor.Jeetrat. This new attack has been simplified, he said, and importantly, does not involve the use of an exploit or executable shellcode/payload, but instead simply uses the Java applet.

"Nonetheless, it is no less dangerous than the older attacks," Lelli wrote, "and it can spread more easily since exploits are usually limited to work on specific versions of the vulnerable software and operating system, while this RAT can spread on any system where Java runtime is installed. In fact, not only has the attack been simplified, but it has also become more stable and more virulent, it is a big upgrade."

And that means attackers can target Windows, Linux, Mac OS X, FreeBSD, OpenBSD and Solaris. Lelli reports that his company has yet to observe the threat working on all of these operating systems. But this particular threat has a builder tool that makes it possible to build your own customized versions of the RAT, he added.

This spear-phishing campaign is reportedly targeting government workers in the U.S., Canada, Australia, some European countries and the Russian Federation.