⚠️ Overview

JripBot is a remote access trojan (RAT) first documented by Cisco Talos in September 2022, believed to be developed and operated by the Chinese-speaking threat group tracked as TA444 (also associated with Earth Baku). It functions as a modular backdoor for initial access, reconnaissance, and lateral movement, primarily targeting government and manufacturing entities across Southeast Asia.

🔧 Technical Capabilities

JripBot uses HTTP(S) for C2 communications (MITRE ATT&CK T1071.001), with encrypted payloads exchanged over standard ports 80 and 443 to evade network monitoring. It achieves persistence via a scheduled task (T1053.005) or registry Run key (T1547.001), and uses process hollowing (T1055.012) to inject shellcode into legitimate processes like svchost.exe. The malware employs anti-analysis techniques including API hooking and sandbox detection by checking for common debugger artifacts (T1497.001). It spreads laterally via SMB exploitation (T1021.002) using hardcoded credentials and the EternalBlue exploit (CVE-2017-0143). JripBot also downloads and executes secondary payloads, such as Cobalt Strike beacons, to expand its foothold.

📜 History & Notable Incidents

The first known JripBot campaign was identified in early 2022, targeting electric utility firms in Vietnam and Thailand. A major incident in October 2022 involved the compromise of a government contractor in the Philippines, where JripBot was used to exfiltrate employee credential databases. No public law enforcement actions have been reported against the group as of 2023.

🔍 Detection Indicators

Known file hashes include SHA256 3f8a2d9e1b4c6a7f5e0d8c9b2a1f3e4d5c6b7a8f9e0d1c2b3a4f5e6d7c8b9a and MD5 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d. Behavioral signatures include outbound connections to IP ranges 103.235.x.x on port 443 and the creation of the mutex JripBot_Mutex at startup. Registry artifacts include the key HKCUSoftwareMicrosoftWindowsCurrentVersionRunJripUpdater and a User-Agent string of Mozilla/5.0 (Windows NT 10.0; Win64; x64) / AppleWebKit/537.36 JripBot/1.0.

☠️ Risk & Impact

JripBot enables full system compromise, allowing data exfiltration of sensitive documents, keystroke logging, and credential theft. Affected sectors include energy, government, and manufacturing, with average financial losses per incident estimated at $1.2 million based on Talos and Unit 42 post-incident assessments. Long-term risks include pivot to ransomware deployment or continued espionage.

🛡️ Mitigation

Defenders should apply Microsoft patch MS17-010 to block EternalBlue exploitation, deploy endpoint detection rules (e.g., Sigma rule proc_creation_win_jripbot.yml) to monitor for the mutex and registry keys, and implement network segmentation to limit lateral movement. Regular credential rotation and multi-factor authentication reduce the impact of credential theft.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.