IceRat malware targets user passwords and illegal coin mining and uses unusual strategies to avoid being discovered.
The malware IceRat spies on the access data of users for various online services and can unintentionally increase users' electricity bills in the event of an infection - through covert illegal coin mining. Technically, the developers have come up with a number of things to prevent the malicious code from being recognized by security solutions.
Looking for passwords
G DATA virus analyst Karsten Hahn took a closer look at IceRat. If the dangerous malware gets onto the computer, it spies out the access data for various online services, for example Facebook or Amazon. However, this information alone is not enough for the criminals: They also install a coin miner that illegally mines digital currencies. In this way the perpetrators earn additional money and the victims have to deal with an increased electricity bill.
Cyber criminals use a dual strategy
At IceRat, the attackers did not write the malicious functions to a file, but rather distributed them to several components that were combined to form the malware. For most of these components, the analyst came across a programming language that is very unusual for malicious code: JPHP. This is a PHP implementation that runs in the Java virtual machine. With this approach, the cyber criminals try to outsmart security solutions in order to prevent detection. If individual files of the malicious program lack the overall context, it is difficult to identify them as malicious. The use of JPHP is also so unusual that many security solutions do not sound the alarm.
“IceRat is very dangerous and harms users in two ways. An infection means that not only passwords get into the wrong hands and can be sold lucratively in special underground markets. At the same time, the computer is also being used for illegal coin mining. The attackers earn twice at the expense of their victims, ”says Karsten Hahn, virus analyst at G DATA CyberDefense.
More on this at GData.de
About G Data With comprehensive cyber defense services, the inventor of the anti-virus enables companies to defend themselves against cybercrime. Over 500 employees ensure the digital security of companies and users. Made in Germany: With over 30 years of expertise in malware analysis, G DATA conducts research and software development exclusively in Germany. The highest standards of data protection are paramount. In 2011, G DATA issued a “no backdoor” guarantee with the “IT Security Made in Germany” seal of trust from TeleTrust eV. G DATA offers a portfolio from anti-virus and endpoint protection to penetration tests and incident response to forensic analyzes, security status checks and cyber awareness training to defend companies effectively. New technologies such as DeepRay use artificial intelligence to protect against malware. Service and support are part of the G DATA campus in Bochum. G DATA solutions are available in 90 countries and have received numerous awards.