IceRAT Malware Detection: Catch Me If You Can

IceRAT is a relatively new tool in the malicious arena, being a unique strain in regard to its features and unprecedented evasion tactics. Remarkably, the threat has very low detection rates, acting as a stealth malware able to steal sensitive data and financial assets from the targeted machines.

What is IceRAT malware?

Despite its name, IceRAT is rather a backdoor than a remote access Trojan. Its primary features are aimed at chained infections and additional malware download, while traditional RAT functionality (e.g. command execution) is missing. Since its discovery in January 2020, IceRAT successfully infected victims with a vast array of information stealers, cryptominers, keyloggers, and clippers. Notably, the malware is distributed mainly through spam campaigns and trojanized “crackers.” For example, the first detected IceRAT version infected victims via malicious documents containing trojanized software download for the CryptoTab browser. IceRAT’s host and C2 server hxxp://malina1306.zzz(.)com.ua are located on the website in Cyrillic, which might indicate that IceRAT developers could be of East European or Russian origin. Even though IceRAT is unable to provide full remote control to the targeted device, it should be considered as a highly dangerous piece of software able to inflict severe device damage, financial and data loss, privacy issues as well as identity theft.

IceRAT Backdoor Evasion Tactics

IceRAT in-depth analysis reveals it is the first-ever malware written in JPHP, a PHP implementation running on Java VM. Consequently, IceRAT relies on .phb files instead of traditional Java .class ones. Such a peculiarity allows the threat to reach an extremely low detection rate on VirusTotal since .php files are not generally supported by AV engines. Another uncommon feature that contributes to the successful evasion is IceRAT’s architecture. The implementation is highly fragmented and avoids putting all functionality in one file. Particularly, IceRAT malware uses multiple files tasked to execute each signal function separately. Therefore, in case the downloader component is discovered, it might be considered benign because the malicious content is missing.

IceRAT Attack Detection

Unique evasion techniques applied for IceRAT malware makes it a tricky task to detect malicious activity in time. Our Threat Bounty program developer Osman Demir provided a threat hunting rule for proactive defense:

https://tdm.socprime.com/tdm/info/SkTSU9lyAHTA/jkLNiXYBmo5uvpkj4Mhr/

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, ELK Stack, QRadar, Splunk, Sumo Logic, Humio, Graylog, LogPoint, RSA NetWitness

MITRE ATT&CK:

Tactics: Discovery, Persistence, Execution

Technique: Process Discovery (T1057), Registry Run Keys / Startup Folder (T1060), Windows Management Instrumentation (T1047)

Sing up to the Threat Detection Marketplace to reach more proactive defense content. Ready to contribute to the threat hunting initiatives? Join our Threat Bounty program to enrich the SOC content library and share it with the Threat Detection Marketplace community.