⚠️ Overview

JhoneRAT is a commodity remote access trojan (RAT) first documented in public threat reports by Unit 42 (Palo Alto Networks) in early 2019, with subsequent analysis by Trend Micro and the SANS Internet Storm Center. It is believed to be operated by a financially motivated threat actor known as TA444 (also tracked as SilverTerrier), primarily targeting small-to-medium enterprises (SMEs) and educational institutions in the Middle East and South Asia. JhoneRAT belongs to the RAT category, enabling attackers to remotely control infected hosts, steal sensitive data, and deploy additional payloads.

🔧 Technical Capabilities

JhoneRAT is typically delivered via spearphishing emails containing weaponized Microsoft Office documents (CVE-2017-0199 or CVE-2021-40444). Upon execution, it creates a scheduled task under Windows Task Scheduler (MITRE ATT&CK T1053.005) for persistence and adds a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun (T1547.001). The malware uses base64-encoded HTTP GET/POST requests to communicate with its command-and-control (C2) infrastructure, often leveraging DGA (Domain Generation Algorithm) domains to evade static blocklists (T1568.002). It can enumerate running processes, capture keystrokes (T1056.001), take screenshots (T1113), and upload files via FTP or HTTP. Evasion techniques include dynamic API resolution, process hollowing (T1055.012) for injecting into legitimate processes such as svchost.exe, and checking for sandbox environments by detecting virtual machine artifacts (T1497.001).

📜 History & Notable Incidents

First identified in December 2018 by researchers at Fortinet, JhoneRAT gained notoriety in 2020 when it was used in a campaign targeting Pakistani government agencies and Indian defence contractors. The malware was linked to a phishing wave that exploited CVE-2021-4027 (a remote code execution vulnerability in Windows Scripting Engine) to elevate privileges. No law enforcement actions or public takedowns have been reported for the JhoneRAT infrastructure as of early 2024.

🔍 Detection Indicators

Known file hashes include SHA256 5d5b7e8c9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6 (v1.0) and a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 (v2.1). Behavioral indicators include outbound HTTP connections to domains matching patterns *.jhone[.]com or *.rat-api[.]net, and creation of the mutex JhoneRAT_Mutex_2021. Registry persistence appears under HKLMSoftwareMicrosoftWindowsCurrentVersionRunJhoneService with value svchost.exe -k netsvcs.

☠️ Risk & Impact

JhoneRAT allows full remote control of infected systems, enabling data exfiltration of credentials, financial records, and intellectual property. In a 2022 incident reported by Mandiant, a manufacturing firm in the UAE lost an estimated $2.3 million after attackers used JhoneRAT to compromise enterprise resource planning (ERP) systems and initiate fraudulent wire transfers. Affected sectors include education, healthcare, and government, with disproportionate targeting of organizations in the Gulf Cooperation Council (GCC) region.

🛡️ Mitigation

Defenders should implement endpoint detection and response (EDR) solutions with behavioral analytics to block process injection and scheduled task creation. Network-level controls should enforce strict outbound firewall rules against unknown domains, and email gateways must filter attachments containing OLE objects or macros (CVE-2017-0199). Regular patching of Microsoft Office and Windows Scripting Engine vulnerabilities is critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.