IceRat evades antivirus by running PHP on Java VM

[harlan4096]

IceRat keeps low detections rates for weeks by using an unusual language implementation: JPHP. But there are more reasons than the choice of the compiler.

This article explores IceRat and explains a way to analyze JPHP malware.

Discovery of IceRat

User McMcbrad of the Malwaretips.com forums discovered the first IceRat samples [5][7]. The malware caught his interest due to the low detection rates on VirusTotal for most related samples. At the time of discovery only 2 to 3 engines showed a detection despite the samples being a month old.

Static analysis reveals that most components of IceRat are written in JPHP. This is a PHP implementation that runs on the Java VM. This implementation uses .phb files instead of Java .class files -- a file type that, as I suspect, is not commonly supported by antivirus products. So far I haven't heard or found any other malware that uses JPHP which partially explains the low detection rates on VirusTotal.

The name IceRat is based on the module name of an older sample[11] that McMcbrad found.

Decompiling JPHP

There don't seem to be any tools to decompile JPHP code yet. But JPHP has to produce Java Bytecode in order to run in the Java VM. So decompilation to Java code is possible.

Unpacking the executable[5] with 7zip reveals the following structure.

As I noticed after looking at several JPHP samples, the entrypoint for the main JPHP code is under .system\application.conf (see picture below). So for our klient.exe sample[5] the main code resides in app\forms\rqfdeqwf.phb.

The .phb files contain the 0xCAFEBABE magic bytes for Java .class files somewhere down below. Removing the first part of the file excluding the magic bytes makes it possible to decompile these files into Java code with, e.g., Fernflower. The right side of the picture below shows how the file should look like after modification.The decompiled code is still hard to read. As a first step I restored the strings. All of them are in an array called $MEM. Replacing the array access $MEM[X] with the actual value in the array will improve readability of the code. I achieved this with a python snippet.

As a second step I replaced methods like assign and concat with operators. E.g., this can be done using regex and capture groups. See table below for replacements. The replacement for one operator must be done several times until all nested calls are replaced. The order must be preserved.

All analysed JPHP samples in this article can be decompiled to Java in the same fashion.

There is still room for improvement but after the replacements the resulting code is readable without pain.

Infection chain and components

IceRat consists of several small components instead of putting all functionality into one file. As a result most of these files may not attract any attention if their context is missing. E.g., a downloader is only malicious if the downloaded file is malware. If information about the downloaded file is missing and cannot be inferred, there is no reason to detect the downloader as malware.

The chain of infection and related files is in the graphic below. White boxes show non-malicious files. At least four of these files are JPHP EXE files, namely cheats.exe[4], 1.exe[12], klient.exe[5] and klip.exe[7]. The main component of IceRat is klient.exe[5].

According to McMcbrad the first IceRat sample came from a malicious document for which he didn't keep a hash or file. The first part of the chain that I could find is Browes.exe[1] which may have been distributed as trojanized software download for CryptoTab. Browes.exe is a selfextracting WinRAR archive that drops and executes the Windows Cabinet file 1.exe[2].

The Windows Cabinet file is also a dropper for two more files, namely a non-malicious setup[3] for CryptoTab software, and a malware downloader named cheats.exe[4]. CryptoTab is a browser with mining features, but its installation is not silent. The affected user will see the browser setup window (see image below) which is why I assume CryptoTab is provided as a lure. To summarize: The infection chain starts with a downloader in a trojanized dropper in a dropper.
...

Continue Reading