The current threat landscape is often driven by web-based malware and exploit kits that are regularly updated with newly found vulnerabilities. Recently, we received an interesting malware binary–a JAR package that opens a back door for an attacker to execute commands and acts as a bot after infection.
This archive does not exploit any Java vulnerability. It was chosen as the infection vector because Java applications can run on multiple platforms with ease; thus this method widens the infection to a greater number of users. We have seen this type of attack in the past using executable files.
The key to decrypt the config file was encrypted with Base 64 [see Figure 2]. Decoding it, we end up with the hex bytes. Further converting the hex bytes to ASCII, we get the decryption key [see Figure 3] to decrypt the config.dat file.
Figure 2: Base 64-encoded key file.
Figure 3: Decryption key to the “config.dat” file.
With the decryption key, we saw that the config.dat file is encrypted using the Triple-DES algorithm. Executing the Triple-DES snippet gave us the plain config file, which holds the information about the backdoor connection. That data includes IP address, port number, operating system, mutex information, and password for the connection [see Figure 4].
Figure 4: Plain config file.
On execution, the JAR file opens the backdoor connection to the IP address and the port mentioned in the plain config file. Once the backdoor connection is made, the compromised user environment will act as the server and the attacker will be the client. The attacker can now take control of the victim’s system and can execute any commands. We found that these types of malicious JAR files can be built from a remote administration tool that is readily available online. Using the tool, anyone can build the malicious JAR package.
Figure 5: Server build dashboard.
Figure 5 shows the dashboard to build the server binary, which is later sent to innocent users. The dashboard makes clear what a binary built using this tool can do. Here are some of the activities:
- Set the encryption key to encrypt key.dat, which is used to encrypt the plain config file
- Set the IP address and port number through which the back door will be opened
- Start the server component on every reboot so that the file will run every time
- The malicious file can be bundled with a legitimate file and can be dropped and executed in the background, without the user consent
- Select the operating system to target
- Copy itself to all available drives on the system
Once the system is compromised, it will act as a bot through which the attacker can execute commands to control the system. The actions and others can be performed by the attacker:
- Record the user screen
- Record keystrokes
- Access the file system
- Access the command prompt
- Download and execute binary files
- Trigger DDoS using HTTP POST and GET requests
- Shut down/restart/lock/log out of the system
Our research found that this JAR package was sent as an attachment in a spam email.
Figure 6: Malware sent as attachment in a spam email.
We detect all malicious JAR packages related to this threat as JV/BackDoor-FAZY. It is always good practice to scan any email attachment with an up-to-date antimalware product.
Here is a simple demonstration of how this malware binary can be used by an attacker to execute commands on an infected system:
I would like to thank my friend and colleague Rajesh Natraj Kumar Pillai for his input and assistance with this analysis.