| Researchers October 20, 2017


October 20, 2017

JadeRAT mobile surveillanceware spikes in espionage activity

By Michael Flossman

Lookout researchers are monitoring the evolution of an Android surveillanceware family known as JadeRAT, we believe may be connected to a government sponsored APT group.

Emerging in 2015 and becoming increasingly active, JadeRAT provides its operators with a significant degree of control over a compromised device and supports over 60 commands that are focused on retrieving sensitive information and profiling victims.
All Lookout customers are protected from this threat.

JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Some of these active families have included FrozenCell, an attack against government officials in Palestine; xRAT, associated with a family targeting Hong Kong protestors; and ViperRAT, an attack targeting members of the Israeli Defense Force. Research into those families suggests they are highly targeted however we've also seen more wide-reaching spyware such as SonicSpy that was discovered in thousands of malicious apps, some of which made their way into the Google Play Store.

Potential attribution

Based on the apps we've seen JadeRAT trojanize, it appears the actors behind it are primarily targeting groups and individuals in China. While our analysis has identified several possible leads that could tie this surveillanceware family to the Naikon APT, Scarlet Mimic, or one of several other groups operating in the region, at this point in time we do not have conclusive evidence to confirm this. Our findings do support the theory that the actor behind JadeRAT is operating around a similar set of objectives to those followed by other Chinese government sponsored groups. We're hoping that by sharing this information it will increase awareness about the rise in targeted surveillance attacks against mobile devices and provide further leads to the research community investigating actors operating in this region.

JadeRAT samples

JadeRAT test releases chart

There is a strong indication that the actor behind this family is becoming increasingly active in the mobile space. As of June 2017, we have acquired 34 JadeRAT samples, 50 percent of which were acquired just this year. Looking at hard coded configuration details, we were able to determine which samples are likely production releases and which are used for internal testing. This shows that the majority of production samples were released this year.

JadeRAT sample names have remained fairly consistent. The apps SIM卡管理 (SIM Card Management), 手机管家 (Phone Guardian), and Google Searcher are the most popular observed titles. Others have included Uyghur, 170602, Telegram, and Voxer, indicating the actor is impersonating communication apps and may be running some campaigns targeting ethnic minorities in China, given the Uyghur reference.

JadeRAT supports over 60 commands that can be issued in the format !<command_id>&<optional_cmd_params>@. Many of these offer standard information gathering functionality seen in typical mobile surveillanceware, however JadeRAT supports several less common capabilities. These include notifying an operator via SMS when a device has booted and silently dropping calls and texts to attacker specified numbers. The following are JadeRAT's core capabilities:

Get a list of running processes Configure call recording to occur if a call is made to a specified number
Get the name of the foreground task Alert a 'secure phone' that a victim's device is now online
Get active services Record audio at a specific time for a set duration
Retrieve device location Start / stop audio recording / set to record based on calls to certain numbers
Retrieve contacts, accounts, call logs, text messages Attempt to call an attacker specified number
Kill a specific process Silently drop calls and SMSes to specific numbers
Retrieve location data that has been periodically collected Enable / disable Wi-Fi
List the contents of a specific directory Enable / disable mobile data
Download / upload / delete a specified file   Enable / disable GPS
Recursively search a directory on a victim's device for a specific filename Delete all SMSes, call logs, contacts, and content on the SDCard
Use ZipUtils to compress a specific file, placing the compressed output in /sdcard/.temp Execute arbitrary commands if root
Exfiltrate MicroMsg and QQ media files and chat databases Take a screenshot
Check for root access Shutdown / reboot device
Retrieve Wi-Fi access points and their corresponding passwords

JadeRAT code snippet

As JadeRAT simply opens up a socket to a specified address and uses quite a basic instruction format without any authentication its capabilities can be tested out by redirecting traffic from a compromised device to an analysis machine running netcat.

Infrastructure

JadeRAT's operators have consistently changed their infrastructure. Production releases rarely reuse domains or IP addresses, frequently use dynamic DNS, and communicate on various non-standard ports. JadeRAT is configured to send SMS messages to an attacker-specified phone number when the compromised device first comes online, however these have only been pre-configured in three of the most recently observed samples. We extracted the following phone numbers from samples acquired during April of 2017:

Number Region Operator Brand
18395610195 Shijiazhuang City, Hebei Province China Mobile Communications Corporation Global pass, M-Zone, Shenzhou line, G3
18633666566 Handan City, Hebei Province China United Network Communications Group Co., Ltd Unknown
13910674787 Beijing China Mobile Communications Corporation Global pass, M-Zone, Shenzhou line, G3

Though these phone numbers are only associated with a limited number of samples, all samples come configured with specific infrastructure to which they communicate. Below are observed domains and external IP addresses. 

IP / Domain Port
googleservhlp.oicp.net 8096
iponetest.eicp.net 8001
myofficedesktop.rkfree.net 8000
asd887655.6655.la 8080
103.226.127.98 80
125.41.93.32 5000
113.106.48.194 8000
123.149.231.81 8899
221.192.178.51 6611
61.36.72.43 8029
1.192.250.74 8899
123.15.58.119 8081
117.158.131.130 8080
1.192.241.109 4434
test.ymyoo.xyz 5000
103.200.31.23 4434
61.144.202.216 8910

JadeRAT connections

Lookout is continuing to track JadeRAT and its associated infrastructure closely as we anticipate this family will only continue to grow.

Want to learn more about threats like JadeRAT and our Threat Advisory services? Contact Lookout today.

SHA-1s
fea0bc1df035ea8eb683bc91cef4d925d8a260f3
b86d8dc815f50377e444a297f5f33bba1b16cc8e
674224a4fe7ec9badd5eefce303ec0867a4afcdf
3e883ac8e5fac3940e774ebca8d626eac5b8d02c
6aaf0f67dddab4fbc9239e29a668195c109d8c23
62cc592cac04d698313ed500bbc897df8172b029
fd5a2ec25d996fe88845bb0705296bf9a621cbe7
00683fa02a0a70e6951daeb34c48cbcceffb60d9
64dddf18cd767b8d273aac1f178db791c758d819
5cb05fb8e3e98781c94f69890a9b69eec8def46a
97de3e5a20014f125a8685c6e48c8e6bc4e2c51d
1e9ec2cdeca8c6954b13551051eec8107b0cef75
b0f844b4ffc4824dad757be4b231905e099a97d7

All these indicators have been added to AlienVault under the JadeRAT pulse.


Author

Michael Flossman,
Security Research Services Tech Lead

Leave a comment

Submit


0 comments