A RAT For The US Presidential Elections

A day before the controversial United States Presidential elections, an email was distributed to inform the recipients of a possible attack during election day as mentioned in a manifesto, allegedly from the ISIS terrorist group, entitled “The Murtadd Vote”. The email was supposedly sent by the head of a US-based terrorist monitoring group. The message was a snippet from the article of USA Today, and has a ZIP archive called “The Murtadd Vote.zip”.


The attachment extracts to “The Murtadd Vote.jar”, which is an Adwind Remote Access Tool/trojan (RAT). Adwind RAT (or jRAT) is nothing novel. In fact, it has been available as a Malware-as-a-Service subscription for already 4 years now. The RAT is capable of keylogging, credential-stealing, and downloading and executing additional files on the infected host to name a few features.


What makes this threat slightly different from other RATs? It’s platform-independent, and so it runs basically on any device with Java Runtime Environment (JRE) installed. As seen below, the malware was able to successfully install a copy of itself as evgjyuBYuAY.WyhMVR in both Windows and Linux.


This particular sample phones home to invoicesheet[.]ddns[.]net:183, which resolved to yesterday, and today to

In Windows, it uses a VBS script to search for machine information, such as which firewall is being used. It writes onto the registries using a .REG file, and has the ability to disable UAC and kill several processes that are related to system monitoring, antivirus products, and debugging software.



  • 80b83ff63adce9ee3ef593ef92eb6fb8eebe431d
  • f9143d7ff3d7651155e7164093722d2eba25bd13 (DeepGuard Kavala.O)
  • dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
  • 8a50c72b4580c20d4a7bfc7af8f12671bf6715ae
  • invoicesheet.ddns.net

Tagged: Kyb3r, RAT, Trojan Source: https://labsblog.f-secure.com

Leave a Reply