October 10, 2017

JadeRAT Mobile Surveillanceware Spikes in Espionage Activity

Lookout researchers are monitoring the evolution of an Android surveillanceware family known as JadeRAT, we believe may be connected to a government sponsored APT group.

Emerging in 2015 and becoming increasingly active, JadeRAT provides its operators with a significant degree of control over a compromised device and supports over 60 commands that are focused on retrieving sensitive information and profiling victims.
All Lookout customers are protected from this threat.

JadeRAT is just one example of numerous mobile surveillanceware families we've seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Some of these active families have included FrozenCell, an attack against government officials in Palestine; xRAT, associated with a family targeting Hong Kong protestors; and ViperRAT, an attack targeting members of the Israeli Defense Force. Research into those families suggests they are highly targeted however we've also seen more wide-reaching spyware such as SonicSpy that was discovered in thousands of malicious apps, some of which made their way into the Google Play Store.

Potential attribution

Based on the apps we've seen JadeRAT trojanize, it appears the actors behind it are primarily targeting groups and individuals in China. While our analysis has identified several possible leads that could tie this surveillanceware family to the Naikon APT, Scarlet Mimic, or one of several other groups operating in the region, at this point in time we do not have conclusive evidence to confirm this. Our findings do support the theory that the actor behind JadeRAT is operating around a similar set of objectives to those followed by other Chinese government sponsored groups. We're hoping that by sharing this information it will increase awareness about the rise in targeted surveillance attacks against mobile devices and provide further leads to the research community investigating actors operating in this region.

JadeRAT samples

JadeRAT test releases chart

There is a strong indication that the actor behind this family is becoming increasingly active in the mobile space. As of June 2017, we have acquired 34 JadeRAT samples, 50 percent of which were acquired just this year. Looking at hard coded configuration details, we were able to determine which samples are likely production releases and which are used for internal testing. This shows that the majority of production samples were released this year.

JadeRAT sample names have remained fairly consistent. The apps SIM卡管理 (SIM Card Management), 手机管家 (Phone Guardian), and Google Searcher are the most popular observed titles. Others have included Uyghur, 170602, Telegram, and Voxer, indicating the actor is impersonating communication apps and may be running some campaigns targeting ethnic minorities in China, given the Uyghur reference.

JadeRAT supports over 60 commands that can be issued in the format !<command_id>&<optional_cmd_params>@. Many of these offer standard information gathering functionality seen in typical mobile surveillanceware, however JadeRAT supports several less common capabilities. These include notifying an operator via SMS when a device has booted and silently dropping calls and texts to attacker specified numbers. The following are JadeRAT's core capabilities:

Get a list of running processesConfigure call recording to occur if a call is made to a specified numberGet the name of the foreground taskAlert a 'secure phone' that a victim's device is now onlineGet active servicesRecord audio at a specific time for a set durationRetrieve device locationStart / stop audio recording / set to record based on calls to certain numbersRetrieve contacts, accounts, call logs, text messagesAttempt to call an attacker specified numberKill a specific processSilently drop calls and SMSes to specific numbersRetrieve location data that has been periodically collectedEnable / disable Wi-FiList the contents of a specific directoryEnable / disable mobile dataDownload / upload / delete a specified file  Enable / disable GPSRecursively search a directory on a victim's device for a specific filenameDelete all SMSes, call logs, contacts, and content on the SDCardUse ZipUtils to compress a specific file, placing the compressed output in /sdcard/.tempExecute arbitrary commands if rootExfiltrate MicroMsg and QQ media files and chat databasesTake a screenshotCheck for root accessShutdown / reboot deviceRetrieve Wi-Fi access points and their corresponding passwords

JadeRAT code snippet

As JadeRAT simply opens up a socket to a specified address and uses quite a basic instruction format without any authentication its capabilities can be tested out by redirecting traffic from a compromised device to an analysis machine running netcat.

Infrastructure

JadeRAT's operators have consistently changed their infrastructure. Production releases rarely reuse domains or IP addresses, frequently use dynamic DNS, and communicate on various non-standard ports. JadeRAT is configured to send SMS messages to an attacker-specified phone number when the compromised device first comes online, however these have only been pre-configured in three of the most recently observed samples. We extracted the following phone numbers from samples acquired during April of 2017:

NumberRegionOperatorBrand18395610195Shijiazhuang City, Hebei ProvinceChina Mobile Communications CorporationGlobal pass, M-Zone, Shenzhou line, G318633666566Handan City, Hebei ProvinceChina United Network Communications Group Co., LtdUnknown13910674787BeijingChina Mobile Communications CorporationGlobal pass, M-Zone, Shenzhou line, G3

Though these phone numbers are only associated with a limited number of samples, all samples come configured with specific infrastructure to which they communicate. Below are observed domains and external IP addresses.

IP / DomainPortgoogleservhlp.oicp.net8096iponetest.eicp.net8001myofficedesktop.rkfree.net8000asd887655.6655.la8080103.226.127.9880125.41.93.325000113.106.48.1948000123.149.231.818899221.192.178.51661161.36.72.4380291.192.250.748899123.15.58.1198081117.158.131.13080801.192.241.1094434test.ymyoo.xyz5000103.200.31.23443461.144.202.2168910

JadeRAT connections

Lookout is continuing to track JadeRAT and its associated infrastructure closely as we anticipate this family will only continue to grow.

SHA-1sfea0bc1df035ea8eb683bc91cef4d925d8a260f3b86d8dc815f50377e444a297f5f33bba1b16cc8e674224a4fe7ec9badd5eefce303ec0867a4afcdf3e883ac8e5fac3940e774ebca8d626eac5b8d02c6aaf0f67dddab4fbc9239e29a668195c109d8c2362cc592cac04d698313ed500bbc897df8172b029fd5a2ec25d996fe88845bb0705296bf9a621cbe700683fa02a0a70e6951daeb34c48cbcceffb60d964dddf18cd767b8d273aac1f178db791c758d8195cb05fb8e3e98781c94f69890a9b69eec8def46a97de3e5a20014f125a8685c6e48c8e6bc4e2c51d1e9ec2cdeca8c6954b13551051eec8107b0cef75b0f844b4ffc4824dad757be4b231905e099a97d7

All these indicators have been added to AlienVault under the JadeRAT pulse.

Authors

Michael Flossman

Head of Threat Intelligence

Michael is Head of Threat Intelligence at Lookout where he works on reverse engineering sophisticated mobile threats while tracking their evolution, the campaigns they are used in, and the actors behind them. He has hands-on experience in vulnerability research, incident response, security assessments, pen-testing, reverse engineering and the prototyping of automated analysis solutions. When not analysing malware there’s a good chance he’s off snowboarding, diving, or looking for flaws in popular mobile apps.

Platform(s) Affected
Android
Threat Type
Spyware
Entry Type
Threat Summary
Platform(s) Affected
Android
Spyware
Threat Summary

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell