This is far from the first time the malware changes its name and becomes active yet again. First it was detected in January 2012 when it was going by the name Frutas RAT. Then, it reappeared in January 2013 as the Adwind RAT.
Later the threat was renamed to Unrecom RAT in February 2014, as AlienSpy in October 2014, and as JSocket RAT in June 2015, Softpedia points out.
JSocker RAT was unraveled by Kaspersky in February 2016 in a very long and detailed report. Not surprisingly, the RAT’s operation was shut down shortly after the report was published. The RAT’s operators, however, appear to be restless as Fortinet researchers recently revealed that the threat is revived one more time in May 2016. This time, it’s going by the name JBifrost RAT.
A Look into JBifrost Latest Campaign
The Fortinet team is certain that JBifrost is a rebranded Adwind RAT with a new GUI and a few new features.
The updated JBifrost cannot be freely bought anymore, compared to previous variants where any interested party could get hold of its code. Potential cyber criminals now need an invitation code to be able to register on its website and eventually buy the RAT.
JBifrost Is Now Being Sold for $45 for a Month
The fee for a subscription and renewal is $40. This is not the only notable change in the RAT. The way cyber criminals collect the money is also renewed – previously payments via PerfectMoney, CoinPayments, Advcash, EntroMoney, and Bitcoin were accepted. Now, Bitcoin has remained the only available payment method.
According to Fortinet, JBifrost has been downloaded from its homepage 1,566 times. It’s also been detected in live malware distribution campaigns:
Based on our findings, it is clear that Adwind perpetrators intend to stay in business by simply rebranding their RAT whenever they appear in the news. They do so by migrating their current subscribers’ accounts to a new website. They also appear to be more cautious since their website is only accessible to invited users, and they are using Bitcoin as their only mode of payment.
Researchers also confirm that JBifrost RAT is currently being utilized in active attacks, including attacks related to business email compromise (BEC) schemes.