Targeted Attacks Delivering Fruit

Contributor: Lionel Payet

Political news has always been one of the top topics used in targeted attacks. Last week we came across unique malicious emails targeting high-profile companies in Europe and Asia (in sectors such as finance, mining, telecom, and government). The payload is an updated version of a Java remote access tool (RAT) detected as Backdoor.Opsiness, also known as Frutas RAT.

Fig1_2.png

Figure 1. Frutas RAT logo

Frutas RAT is not new and has been around for quite some time now. Back in February we released a blog about this: Cross-Platform Frutas RAT Builder and Back Door.

The crafted emails used in this campaign contain two files – the first one is a decoy (.pdf) and the second is the actual threat (.jar). Sample email subject lines used include:

  • Subject:  Obama Releases Three Declassified Spying Docs
  • Subject:  U.S. Consul General Hart Arrives in Hong Kong
  • Subject:  UK-Northern Ireland-Japan InfoSec Agreement

Figure2_4.png

Figure 2. Example email

If the social engineering is successful and the .jar file is executed, it will gather the following information from the compromised computer and connect to a command-and-control (C&C) server:

  • Mac and IP address
  • User name
  • Country the computer is located in
  • Operating system information (name, version, architecture)
  • Java Runtime version

Looking at its functionalities, Backdoor.Opsiness could be considered as recon malware for future targeted attacks – while it is not widely spread, we are seeing a growing trend in its use in several targeted attacks.

Fig3_0.png

Figure 3. Distribution of targeted attacks per country

We advise users to keep their antivirus definitions, operating system, and software up-to-date. Users should also avoid opening emails from unknown senders and avoid clicking on suspicious email attachments.