AI Security AI安全 4d ago Updated 4d ago 更新于 4天前 42

New Java-Based QuimaRAT MaaS Built to Run on Windows, Linux, and macOS 新型基于Java的QuimaRAT恶意软件即服务支持Windows、Linux和macOS

QuimaRAT is a novel, cross-platform Java-based Remote Access Trojan (RAT) available via a Malware-as-a-Service (MaaS) model, supporting Windows, Linux, and macOS. The malware utilizes a modular architecture with encrypted plugins and leverages Java Native Access (JNA) to interact directly with low-level OS APIs for broad compatibility. It employs sophisticated evasion techniques, including a unique browser-cache staging method to bypass Windows SmartScreen and native execution paths to avoid det QuimaRAT是一款基于Java的跨平台远程访问木马(RAT),支持Windows、Linux和macOS,采用模块化架构并通过加密插件动态扩展功能。 该恶意软件以MaaS模式出售,提供包含构建器、加载器和投弹器的完整工具链,旨在利用系统信任机制绕过SmartScreen等安全防御。 具备强大的持久化能力,通过注册表、计划任务、启动项等多种OS特定方法驻留,并支持Pastebin作为C2服务器更新的动态轮换机制。 拥有74个Windows模块和46个macOS/Linux模块,涵盖命令执行、凭证窃取、屏幕监控等功能,且内置Watchdog组件确保C2连接稳定性。 其交付流程利用浏览器缓存和“

65
Hot 热度
60
Quality 质量
55
Impact 影响力

Analysis 深度分析

TL;DR

  • QuimaRAT is a novel, cross-platform Java-based Remote Access Trojan (RAT) available via a Malware-as-a-Service (MaaS) model, supporting Windows, Linux, and macOS.
  • The malware utilizes a modular architecture with encrypted plugins and leverages Java Native Access (JNA) to interact directly with low-level OS APIs for broad compatibility.
  • It employs sophisticated evasion techniques, including a unique browser-cache staging method to bypass Windows SmartScreen and native execution paths to avoid detection.
  • Persistence mechanisms are highly adapted to each OS, utilizing Registry keys on Windows, crontab/.desktop files on Linux, and LaunchAgents on macOS.
  • The toolset includes a builder, loader, and dropper, offering operators flexible payload delivery options such as fake CAPTCHA pages and software update alerts.

Why It Matters

This development highlights the increasing sophistication of MaaS offerings, where attackers can easily deploy advanced, cross-platform malware without deep technical expertise. The use of Java combined with native libraries demonstrates a growing trend in malware development to leverage legitimate, widely-trusted languages and frameworks to blend in with normal system activity and evade signature-based detection. For security practitioners, this underscores the need for behavioral analysis and heuristic monitoring rather than relying solely on static signatures, especially for tools that mimic legitimate administrative utilities.

Technical Details

  • Architecture and Language: Built as a modular Java project using Apache Maven, incorporating embedded Java Native Access (JNA) libraries to call C/C++ code for direct interaction with OS-specific APIs across Windows, Linux, and macOS.
  • Delivery and Evasion: Features a "Quima Loader" that stages payloads in the browser cache, presenting a clean loader file to the user to bypass SmartScreen. It also includes a "Binder" feature to execute decoy applications alongside the main payload.
  • Persistence Mechanisms: Implements OS-specific persistence strategies: Windows Registry Run keys and Scheduled Tasks; Linux .desktop autostart entries and crontab; macOS LaunchAgent plist files.
  • Command and Control (C2): Communicates via TCP, WebSocket, TLS, or HTTPS. Includes a watchdog component for reconnection and an optional Pastebin-based mechanism for dynamic C2 host rotation without redistributing the payload.
  • Capabilities: Offers 74 Windows modules and 46 macOS/Linux modules, enabling remote command execution, credential theft, file transfer, clipboard manipulation, and webcam surveillance.

Industry Insight

  • Defense-in-Depth for Java Applications: Security teams should enhance monitoring for unusual Java processes, particularly those invoking native libraries or exhibiting network behaviors inconsistent with standard enterprise Java applications.
  • Browser-Based Attack Vectors: The use of browser caching for payload staging represents a significant shift in delivery mechanisms. Endpoint protection solutions must inspect browser cache contents and monitor for suspicious interactions between web sessions and local executable launches.
  • MaaS Proliferation: The availability of such a robust, multi-platform RAT via subscription services lowers the barrier to entry for cybercriminals. Organizations should anticipate a rise in targeted attacks leveraging these tools and ensure their incident response plans account for sophisticated, persistent threats that mimic legitimate administrative activities.

TL;DR

  • QuimaRAT是一款基于Java的跨平台远程访问木马(RAT),支持Windows、Linux和macOS,采用模块化架构并通过加密插件动态扩展功能。
  • 该恶意软件以MaaS模式出售,提供包含构建器、加载器和投弹器的完整工具链,旨在利用系统信任机制绕过SmartScreen等安全防御。
  • 具备强大的持久化能力,通过注册表、计划任务、启动项等多种OS特定方法驻留,并支持Pastebin作为C2服务器更新的动态轮换机制。
  • 拥有74个Windows模块和46个macOS/Linux模块,涵盖命令执行、凭证窃取、屏幕监控等功能,且内置Watchdog组件确保C2连接稳定性。
  • 其交付流程利用浏览器缓存和“干净”的加载器文件,结合伪造的验证码或更新页面诱导用户点击,从而在目标系统上静默执行主载荷。

为什么值得看

QuimaRAT展示了现代恶意软件如何深度集成合法开发框架(如Java/Maven)和系统原生特性来规避检测,为安全研究人员提供了分析高级持续性威胁(APT)和商业化恶意软件的新视角。其利用浏览器缓存和系统信任资源进行免杀交付的技术细节,对于优化端点检测响应(EDR)策略和提升反钓鱼意识具有直接的参考价值。

技术解析

  • 架构与开发栈:基于Apache Maven构建的模块化Java项目,嵌入Java Native Access (JNA) 库以调用C/C++编写的底层操作系统API,实现跨平台(x86/x64/ARM等)的深度交互和性能优化。
  • 免杀与交付机制:Quima Loader允许攻击者上传EXE,生成伪装成合法网页(如CAPTCHA检查)的链接。载荷先存入浏览器缓存,再通过受浏览器信任的小型加载器读取并执行,以此绕过Windows SmartScreen防护。
  • 持久化与进程管理:通过创建临时目录锁文件确保单实例运行;持久化手段覆盖Windows注册表/计划任务、Linux .desktop/crontab及macOS LaunchAgent。支持Binder功能,可同时运行主载荷和欺骗性应用。
  • C2通信与配置:支持TCP、WebSocket、TLS和HTTPS协议,内置Watchdog维持连接。配置文件中解码内部设置用于环境验证,并可选地通过Pastebin动态更新C2地址,无需重新分发恶意软件即可更换基础设施。
  • 功能模块:提供远程命令执行、文件传输、剪贴板监控、摄像头控制及凭证窃取等74+ Windows和46+ macOS/Linux模块,具备完整的远程控制能力。

行业启示

  • 合规与供应链风险:攻击者利用合法的Java生态系统和Maven构建工具降低检测率,表明传统基于代码签名的防御可能失效,需加强对异常行为(如浏览器缓存异常写入、非典型进程链)的检测。
  • MaaS模式的演变:QuimaRAT提供的完整工具链(Builder/Loader/Dropper)降低了网络犯罪门槛,促使安全厂商需关注此类“一站式”黑产服务的交付逻辑,特别是针对Web端和客户端的混合攻击向量。
  • 防御策略调整:鉴于其利用系统信任资源和动态C2轮换的特性,组织应强化对浏览器缓存行为的监控,实施严格的出站流量控制,并定期审查和更新Endpoint Detection and Response (EDR) 规则以识别新型免杀技术。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Research 科学研究