- Apr 9, 2020
I wrote this article based on @McMcbrad sample
IceRat keeps low detections rates for weeks by using an unusual language implementation: JPHP. But there are more reasons than the choice of the compiler. This article explores IceRat and explains a way to analyze JPHP malware.
User McMcbrad of the malwaretips.com forums discovered the first IceRat samples. The malware caught his interest due to the low detection rates on VirusTotal for most related samples. At the time of discovery only 2 to 3 engines showed a detection despite the samples being a month old.
Static analysis reveals that most components of IceRat are written in JPHP. This is a PHP implementation that runs on the Java VM. This implementation uses .phb files instead of Java .class files -- a file type that, as I suspect, is not commonly supported by antivirus products. So far I haven't heard or found any other malware that uses JPHP which partially explains the low detection rates on VirusTotal.