In the cybersecurity realm, the Remote Access Trojan (RAT) was considered among the highlights of 2019. And researchers say that this threat will continue to gain popularity and traction this year. According to reports, the actors that are behind the rise of RATs in 2019 include TA505, which is notorious for introducing the FlawedGrace RAT and the ServHelper backdoor.
Now, computer users are being warned of JhoneRAT, a new RAT that is being distributed today as part of active campaigns. Researchers say that it was first introduced in November 2019. And since then, it has been attacking victims in the Middle East with evidence showing that attackers are taking measures to ensure it is being sent across Arabic-speaking victims.
Among the countries that are targeted by the JhoneRAT malware are Algeria, Egypt, Kuwait, Libya, Oman, Syria, UAE, Yemen, Tunisia, Saudi Arabia, Morocco, Lebanon, Iraq, and Bahrain.
But what exactly is JhoneRAT, and what dangers does it bring?
What Is the JhoneRAT Malware?
JhoneRAT is a malware entity that disguises itself as malicious Microsoft Office documents. The creators made sure that the program is able to choose its victims by checking the layout of their keyboards. Once downloaded, it will initiate the download of other programs with malware and collect as much information as it can get from the victim’s computer.
Victims of the malware say that attackers distribute JhoneRAT through malicious Microsoft Office documents. These documents are designed to download and open more documents that contain built-in macros.
These documents are often named as follows:
- Urgent.docx – This is the initial document that asks users to enable editing in English and Arabic.
- Fb.docx – This is the document that contains information gathered from a user.
- A blurred-out document that allegedly comes from an organization in the UAE – This document asks the victim to enable editing for him/her to be able to read the content.
Once the victim enables editing, then the malware does what it is expected to do. Again, this malicious entity has three threads. The first one checks if the keyboard layout of the victim is Arabic. The next one prevents the victim from removing the malware. And the last one allows the malware to launch and begin its activities.
The Dangers of the JhoneRAT Malware
Cybercriminals designed the JhoneRAT malware to do the following:
- take screenshots on a victim’s computer and send them to image hosting websites;
- download and execute files disguised as images;
- steal personal information like credit card details, passwords, and other credentials;
- infect systems with more malware entities.
Victims have reportedly encountered various problems with JhoneRAT on their systems. While some had issues with identity theft, others lost significant amounts of money and data. Well, it’s obvious that the goal of creating the JhoneRAT malware is to generate more revenue.
How the JhoneRAT Malware Is Acquired
The malware gets installed when a user opens malicious Microsoft Office documents that enable macros commands. More often than not, these documents are spread via attached emails that are sent across random people.
Unfortunately, spammy email campaigns aren’t the only means of spreading such malware. It can also be sent through suspicious software downloads, unofficial activation tools, and fake apps.
Is Your Computer Infected by the Malware?
The JhoneRAT malware often comes undetected. You’ll only know that your computer is infected once you notice these signs:
- Modified system files
- Corrupted or broken data
- More malware installed on your computer
- Weakened computer security
- Poor computer performance
How to Remove the JhoneRAT Malware
If, unluckily, your computer is infected with the JhoneRAT malware, here are some solutions you can try:
Method #1: Delete the malware manually
Manually removing the malware is not an easy task. But if you wish to do so, the first step you should do is to identify the name of the malware.
As you’ve read above, the malware comes in threads of Microsoft Office documents. Once you have identified them, you can proceed with the following steps:
- Locate the suspicious files in the auto-start apps, registry, and system file folders.
- Delete them.
Method #2: Reboot your computer in Safe Mode
Rebooting your computer in Safe Mode may do the trick and remove the malware. Here’s how:
- Press the Windows button.
- Hold the Shift key and select Restart.
- Select Troubleshoot.
- Choose Advanced Options.
- Click Start-up Settings and select Restart.
- At this point, several boot options are displayed. Choose Safe Mode.
- Windows will not reboot in Safe Mode.
Method #3: Uninstall the JhoneRAT malware using Control Panel
You can also use the Control Panel to remove the stubborn malware. Just follow these steps:
- Press the Windows + R shortcut to open the Run utility.
- Into the text field, input appwiz.cpl.
- Hit Enter to open Control Panel.
- Next, look for any JhoneRAT-related files or entities and uninstall them immediately.
Method #4: Seek help from professionals
Because this is a relatively new malware entity, we suggest that you ask help from professionals. For sure, they are well aware of this threat and already know what to do with computers infected with it.
If your computer is still under warranty, just bring it to the nearest service center and let the technicians fix the problem. Otherwise, you may contact Microsoft’s official support team.
How to Protect Your Computer from the JhoneRAT Malware
There are many ways to prevent the JhoneRAT malware from infecting your computer. However, the first and the best course of action you should take is not to open any documents that are attached in random emails. This is especially true if such an email comes from an unknown email address. Just ignore the email and leave the attachments unopened.
Also, make sure that you download files and programs from official and trustworthy sources only. In the event that an app update is needed, visit the developer’s website for instructions or use legit download tools that have been designed by official and known developers.
Optimize your system performance as well by deleting any unnecessary and junk files. For this, you can download and install a PC repair tool, run a quick scan, and delete files as needed.
Most importantly, scan your system regularly for threats. Use trusted anti-malware and antivirus software to remove potential threats as soon as possible.
At this point, we can never really tell the severity of damage the JhoneRAT malware can do. However, don’t wait until you encounter the malware yourself. Take the necessary actions to prevent it from wreaking havoc on your computer. If you suspect that the malware has already successfully infiltrated your system, try the solutions above and work your way down. If all else fails, seek help from professionals.