IceRat evades antivirus by using JPHP

struppigel

struppigel

Super Moderator
Thread author
Verified
Staff Member
Well-known
Apr 9, 2020
667
Content source
https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp
I wrote this article based on @McMcbrad sample ;)

IceRat keeps low detections rates for weeks by using an unusual language implementation: JPHP. But there are more reasons than the choice of the compiler. This article explores IceRat and explains a way to analyze JPHP malware.

User McMcbrad of the malwaretips.com forums discovered the first IceRat samples[5][7]. The malware caught his interest due to the low detection rates on VirusTotal for most related samples. At the time of discovery only 2 to 3 engines showed a detection despite the samples being a month old.

Static analysis reveals that most components of IceRat are written in JPHP. This is a PHP implementation that runs on the Java VM. This implementation uses .phb files instead of Java .class files -- a file type that, as I suspect, is not commonly supported by antivirus products. So far I haven't heard or found any other malware that uses JPHP which partially explains the low detection rates on VirusTotal.

...
Click to expand...

IceRat_infection_chain.png
 
  • Like
  • +Reputation
  • Applause
Reactions: Nevi, bayasdev, CyberPanther and 17 others
F

ForgottenSeer 89360

www.pressebox.de

Schadprogramm IceRat hat es auf Nutzerpasswörter und illegales Coin-Mining abgesehen und setzt dabei auf außergewöhnliche Strategien

Die Schadsoftware IceRat spioniert die Zugangsdaten von Nutzern für verschiedene Online-Dienste aus und kann bei einer Infektion ungewollt die Stromrechnung von...
www.pressebox.de www.pressebox.de

Schadprogramm IceRat hat es auf Nutzerpasswörter und illegales Coin-Mining abgesehen - Onlineportal von IT Management

Die Schadsoftware IceRat spioniert die Zugangsdaten von Nutzern für verschiedene Online-Dienste aus und kann bei einer Infektion ungewollt die Stromrechnung von Anwendern in die Höhe treiben - durch verdecktes illegales Coin-Mining.
www.it-daily.net www.it-daily.net

www.securityinfo.it

IceRat: il trojan “virtuale” che sfugge agli antivirus - Securityinfo.it

Il malware utilizza una macchina virtuale JavaScript per avviare un PHP che ne esegue il codice. Solo 2 motori antivirus su 3 lo riconoscono.
www.securityinfo.it www.securityinfo.it

I don't speak Italian (last article), but I can see the article is making headlines.
 
Last edited by a moderator:
  • Like
  • Applause
  • Thanks
Reactions: bayasdev, struppigel, MacDefender and 6 others
You must log in or register to reply here.

Similar threads

struppigel
    • Like
    • +Reputation
    • Applause
Malware Analysis [Video] D3f@ck loader analysis from InnoSetup to JPHP
Replies
2
Views
851
Malware Analysis
Trident
Trident
Captain Awesome
    • Like
Malware News AI-Driven Ransomware FunkSec Targets 85 Victims Using Double Extortion Tactics
Replies
0
Views
613
Security News
Captain Awesome
Captain Awesome
Gandalf_The_Grey
    • Like
    • Thanks
    • +Reputation
AV-Comparatives Consumer Malware Protection Test September 2024
Replies
2
Views
893
Security Statistics and Reports
Sorrento
Sorrento

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top