by John Bambenek
To see the full threat report and findings, visit Fidelis Threat Advisory #1019 Ratcheting Down on JSocket: A PC and Android Threat. The report includes analysis of PC capabilities and an updated list of observed JSocket Command-and-Control nodes observed in the wild. Enterprises should monitor their networks for any communication to these nodes and take appropriate action. Additionally, we are including a list of observed hashes of this malware, and a list of IP address and hostnames observed as command-and-control systems. Please note, the IP addresses were seen in the configuration, they are not resolved IP addresses for the hostnames that are in the list.
The mysterious death of Argentina prosecutor, Alberto Nisman, remains unsolved as government officials cite suicide. Critics suggest he may have been murdered days after filing a report that President Cristina Fernandez conspired to cover up Iranian involvement around the 1994 bombing of a Jewish community center. RAT spyware, called AlienSpy, was found on Nisman’s mobile phone.
Recently, our friends at Recorded Future blogged about the popularity of Android Remote Access Tools (RAT) AndroRat and DroidJack that are being used by Iranian hackers. The appeal of RATs to mobile phones continues to grow, as they are readily available and effective. Attackers can remotely access a phone’s camera and microphone to monitor a victim. They can track mobile transactions. They can steal personal information. And they can gain access to corporate networks for launching broader attacks.
Tools like DroidJack make it easy for attackers – even those that do not have advanced technical skills – to compromise and control mobile devices. JSocket, another popular RAT, is also available with a rich blend of features and an easy-to-use interface that allows non-technical users to deploy it against victims.
In June 2015, JSocket emerged as a reincarnation of previous malware. It can remotely control Linux, Mac and Windows machines as well as Android devices. Its Android functionality executes attacks by taking existing mobile applications and embedding malicious code while victims continue to use their fully functional and otherwise legitimate applications on their phones. For example, attackers could infect JSocket malware into an Angry Birds game application. The end user would play the game normally even as the attacker gains complete access and control.
JSocket Android RAT features remote microphone and camera access, as well as a suite of tools to view and modify text messages and phone calls. It can use the phone’s built-in GPS to track the movements of a victim wherever they happen to be.
Use cases of JSocket vary widely. Recent well-publicized reports depict stalkers using such applications to track previous partners. Organized crime syndicates or nation states, motivated by national geopolitical interests (e.g. Iranian threat actors), can use the RAT to infiltrate organizations to steal financial data and information.
To protect against JSocket attacks, enterprise users and consumers should take the following precautions:
- Do not “root” your phone. This removes some basic built-in protections that, if removed, allows JSocket greater access to the device.
- Do not install applications outside of the Google Play store and ensure the security setting “Allow installation of non-Market applications” is set to off.
- Examine what permissions a mobile application attempts to use upon installation. It is a common tactic for mobile malware to request all available permissions and this is a good indicator of a problematic application
Fidelis XPS™ and Resolution1 Endpoint users are protected against this threat by our advanced threat detection capabilities and we’ll continue to monitor this threat as it develops.