For malware authors and attackers, the ideal malware is that which works on as many platforms as possible. As Java is used in a wide variety of computing platforms, it stands to reason that applications written in Java make the perfect malware delivery method.
McAfee Labs researchers have recently shared details about a seemingly ordinary piece of malware whose analysis reveals some interesting things.
The malware is question is a Java-based bot whose ultimate goal is to open a backdoor on the target computer and let attackers in through it to snoop. It also allows them to record the user screen, keystrokes, access the command prompt, download and execute binary files, and more. In this attack, the compromised user environment acts as the server and the attacker as the client.
The malicious Java Archive Package (.jar) is delivered via an email that simply says: “Dear all, Updated G20_contact_list.” It’s obvious by the contents of the email and the nature of the delivered malware that this is a spear phishing email targeting government employees or those in political organizations.
The name of the file uses the same wording and is made to look like an .xls file at first glance.
The package holds an encrypted key file that decrypts an encrypted configuration file, which contains information and instructions for opening a backdoor and contacting a specific IP address and port, and another Java class file executes the action:
The good-to-note thing is that you don’t have to be a state-sponsored hacker to create such files.
“We found that these types of malicious JAR files can be built from a remote administration tool that is readily available online. Using the tool, anyone can build the malicious JAR package,” points out malware researcher Arun Sabapathy.
The malware creator simply goes through a list and checks the attributes he or she wants the server binary to have, including things like which operating system to target, whether the malicious file will be bundled with a legitimate file, and so on.