Hackers Targeting Indian Banks via JAVA RAT To Hack Java On Windows, Linux , and Mac

Currently, the whole world is in lockdown due to the deadly COVID-19 pandemic, but, for the cybercriminals, this is the most luring opportunity. Moreover, as a result, recently, cyber attackers have targeted all the co-operative banks in India.

Researchers uncovered a new campaign in which the attackers have used the renewed wave of the “Adwind Java RAT” to initiate the attacks against the co-operative banks in India.

Do you not know about the co-operative banks? The co-operative banks are small banks that are small in size, and they generally do not have any large trained IT and cybersecurity team to handle such types of cyberattacks.

Like the other popular COVID-19 themed cyber-attacks, this Java RAT campaign also starts its operation with a spear-phishing email.

However, the difference is that the phishing emails that the attacker sends to its victims claim to be from India's Reserve Bank of India or any other large banking institution in the country.

According to the Quick Heal report, all these phishing emails refer to the new RBI guidelines or any transaction with detailed information in an attached file that contains the real surprise, in the form of a zip file.

Actually, inside that zip file, the attacker attaches a malicious JAR file as an attachment in the name of a detailed report.

You can see the malicious zip file attached by the attacker in the detailed report's name in the above image. Apart from this, to deceive the victims, the attacker uses popular file extensions like xlsx, pdf, and much more.

Infection Vector

The malicious JAR file, which is sent to the attackers' victims, is a remote admin trojan, that is why the attackers can efficiently run them on any windows, Linux, and Mac PCs with Java installed.

The malicious payload endures itself by altering the registry key. The payload drops a JAR file in %appdata% location; all these happen automatically once the user manually opens the attachment sent by the attacker.

This malicious JAR file contains multiple layers of encryption and complex coding.

Once the malicious JAR file executed in the victim’s system, it automatically transforms into a Remote admin tool (JRAT) that allows the attackers to perform several types of malicious activities of the following:-

• This backdoor can create or delete its persistence by sending commands.
• Adwind RAT is capable of controlling the victim’s desktop remotely.
• The attacker used a robot class to control the mouse, keyboard by sending commands from a remote machine, and take a screenshot.
• Backdoors often lead to the stealing of credentials for critical financial infrastructure.
• Cyberattacks on banks can lead to the stealing of all customer data and crucial financial infrastructure details.

Here Are Some Attachment Names Used in the Java RAT Campaign:-Email Subjects:

• Urgent – COVID measures monitoring template
• Query Reports for RBI INSPECTION
• Moratorium
• FMR returns
• Assessment Advice-MH-603
• [874890897] – MIS for NEFT/RTGS, 06-04-2020 [1]
• Deal confr.
• DI form

• Attachment Names:
• Covid_19_measures_Monitoring_Template-Final_xlsx.zip
• NSBL-AccListOnTheBasisOfKYCData_0600402020_pdf.zip
• Gazette notification&RBI_Directives_file-00000120_pdf.zip
• Fmr-2_n_fmr_3_file_000002-pdf.zip
• MON01803_DIC_pdf.zip
• FIXEDCOMPNULL_xls.zip
• SHRIGOVARDHANSING0023JI001_pdf.zip
• DI_form_HY_file_00002_pdf .zip

These malicious campaigns could directly impact the banks and their customers; thus, cyber actors could easily steal customers’ data and important financial infrastructure details.

Moreover, the security firm Quick Heal strongly recommended the users to take necessary security measures and avoid opening the attachments attached in the emails from unknown sources.

So, what do you think about this? Share all your views and thoughts in the comment section below.

Follow us on Twitter, Linkedin, Facebook for daily Security updates & Hacking news. Have you got something to say about this content? Let us know by the comment below.