First observed in May 2015, the JBiFrost Remote Access Trojan (RAT) is a variant of the Adwind RAT, with roots stretching back to the Frutas RAT, from 2012.
A RAT is a programme which, once installed on a victim’s machine, allows remote administrative control. In a malicious context it can, among many other functions, be used to install backdoors and key loggers, take screen shots, and exfiltrate data.
Malicious RATs can be difficult to detect because they are normally designed not to appear in lists of running programmes and can mimic the behaviour of legitimate applications.
To prevent forensic analysis, RATs have been known to disable security measures, such as Task Manager, and network analysis tools, such as Wireshark, on the victim's system.
JBiFrost is typically employed by cyber criminals and low-skilled actors, but its capabilities could easily be adapted for use by state actors.
Other RATs are widely used by Advanced Persistent Threat (APT) groups, such as Adwind against the aerospace and defence sector, or Quasar RAT by APT10, against a broad range of sectors.
Malicious actors have also compromised servers with the purpose of delivering malicious RATs to victims, either to gain remote access for further exploitation, or to steal valuable information, such as banking credentials, Intellectual Property or PII.
The JBiFrost RAT is Java-based, cross-platform and multifunctional. It poses a threat to several different operating systems, including Windows, Linux, MAC OS X and Android.
JBiFrost allows actors to pivot and move laterally across a network, or install additional malicious software. It is primarily delivered through emails as an attachment: usually an invoice notice; request for quotation; remittance notice; shipment notification; payment notice; or with a link to a file hosting service.
Past infections have exfiltrated intellectual property, banking credentials and Personally Identifiable Information (PII). Machines infected with JBiFrost can also be used in botnets to carry out Distributed Denial of Service (DDoS) attacks.
Since early 2018, we have observed an increase in JBiFrost being used in targeted attacks against critical national infrastructure owners and their supply chain operators. There has also been an increase in the RAT’s hosting on infrastructure located in our countries.
In early 2017, the Adwind RAT was deployed via spoofed emails, designed to look as if they originated from SWIFT network services.
Many other publicly available RATs, including variations of the Gh0st RAT, have also been observed in use against a range of victims worldwide.
Detection and protection
Some possible indications of a JBiFrost RAT infection can include, but are not limited to:
- Inability to restart the computer in safe mode;
- Inability to open the Windows registry editor or task manager;
- Significant increase in disk activity and/or network traffic;
- Connection attempts to known malicious IP addresses; and
- Creation of new files and directories with obfuscated or random names.
Protection is best afforded by ensuring systems and installed applications are all fully patched and updated. The use of a modern antivirus program with automatic definition updates and regular system scans will also help ensure that most of the latest variants are stopped in their tracks. You should ensure that your organisation is able to collect antivirus detections centrally across its estate and investigate RAT detections efficiently.
Strict application whitelisting is recommended to prevent infections occurring.
The initial infection mechanism for RATs, including JBiFrost, can be via phishing emails. You can help prevent JBiFrost infections by stopping these phishing emails from reaching your users, helping users to identify and report phishing emails, and implementing security controls so that the malicious email doesn’t compromise your devices. For further details, see the NCSC's phishing guidanceFootnote 2.