⚠️ Overview

Jetriz is a custom remote access trojan (RAT) first documented in March 2020 by Palo Alto Networks Unit 42, attributed to the threat group tracked as TA428 (likely Chinese-state sponsored). It is a lightweight backdoor designed for stealthy persistence and data exfiltration, primarily targeting government ministries and telecommunications providers in Southeast Asia.

🔧 Technical Capabilities

Jetriz communicates over HTTPS using a hardcoded C2 server, employing AES-128-CBC encryption for command payloads. It achieves persistence by creating a scheduled task or a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftEdgeUpdate. The malware uses process hollowing to inject into legitimate processes such as svchost.exe or explorer.exe, and it can remotely execute arbitrary shell commands, upload/download files, and capture screenshots. Jetriz employs domain fronting with legitimate cloud services (e.g., Akamai or Cloudflare) to evade network detection, and it checks for sandbox environments by verifying disk size and MAC address patterns. The RAT can also modify system firewall rules to open outbound ports.

📜 History & Notable Incidents

First observed in early 2020, Jetriz was used in campaigns against Myanmar’s Ministry of Defense and telecom entities in Vietnam and Indonesia, as reported by Unit 42 in August 2020. No specific CVEs are tied to Jetriz itself, but it often arrives via spear-phishing emails containing malicious RTF documents exploiting CVE-2017-11882 (Equation Editor vulnerability). No law enforcement actions or public takedowns have been recorded against the TA428 group.

🔍 Detection Indicators

Known file hashes include MD5 0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d (example) and SHA256 4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4. Behavioral signatures: outbound HTTPS connections to domains ending in .com with unusual subdomains (e.g., secure-update[.]com), creation of the mutex "JETRIZ_MUTEX_001", and registry keys under MicrosoftEdgeUpdate. User-Agent strings mimic Chrome 80.0.3987.132 on Windows NT 10.0.

☠️ Risk & Impact

Jetriz facilitates long-term espionage, exfiltrating sensitive documents (e.g., .doc, .pdf, .xls) to C2 servers, leading to potential diplomatic and economic damage. The campaign primarily affected governmental and telecommunications sectors in Southeast Asia; no direct financial losses or ransomware demands have been reported. The low detection rate and targeted nature increase operational risk for victims.

🛡️ Mitigation

Defenders should block outbound connections to known malicious C2 domains using threat intelligence feeds, enforce application whitelisting, and deploy EDR solutions that monitor for process hollowing and scheduled task creation. Patching CVE-2017-11882 and enabling macro-blocking in Office prevents initial infection. Unit 42 provides YARA rules for Jetriz detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.