Experts have come across a new version of an old RAT

Apr 17, 2014 11:05 GMT  ·  By

Security researchers from Trend Micro have been analyzing a new version of an old Java RAT. The new version is detected as JAVA_OZNEB.B and it’s called UNRECOM (Universal Remote Control Multi-Platform). It was previously known as Adwind.

According to experts, the RAT is being distributed with the aid of spam emails. The malware is often disguised as product lists, catalogues or receipts. One spam run used to distribute UNRECOM leverages the reputation of American Express.

The fake bank emails inform recipients that their accounts have been suspended due to suspicious activity.

“In view of this, your American Express card has been locked. This has been done to secure your accounts and to protect your private information. We are committed to making sure that your online transactions are secure,” the emails read.

They continue, “Attached to this mail is your statement with the irregular activities highlighted. Please fill in the required information in the form also attached, this is required for us to continue to offer you service in a safe and risk-free environment.”

Of course, the attachment is not a report, but a copy of the RAT.

Once it infects a computer, the new version of the malware can not only take screenshots and display messages, but it can also mine for Litecoins.

The Litecoin-mining component is a plugin. It’s worth noting that the creators of UNRECOM can add other plugins as well to further enhance the threat.

“The inclusion of a Litecoin miner plugin is highly notable, given the slew of threats targeting cryptocurrencies we’ve seen recently. Litecoin is a cryptocurrency that’s often considered as a popular alternative to Bitcoin,” Trend Micro Threat Response Engineer Mark Joseph Manahan noted in a blog post.

“The Litecoin plugin can allow a remote malicious user to use an infected computer to mine Litecoins. Mining digital currencies requires a lot of computing power so victims may experience sluggish performance from their infected computers,” the expert added.

As you might have guessed based on its name, this RAT can run on multiple platforms. While this is not out of the ordinary for Java RATs, this one can also run on Android devices.

Furthermore, it also has an APK binder component. This enables cybercriminals to take legitimate Android apps and turn them into Trojans.

Trend Micro’s Smart Protection Network has shown that most UNRECOM infections have been spotted in the United States, Turkey, Australia, Taiwan, Singapore and Japan.