Java Back Door Acts as Bot

The current threat landscape is often driven by web-based malware and exploit kits that are regularly updated with newly found vulnerabilities. Recently, we received an interesting malware binary–a JAR package that opens a back door for an attacker to execute commands and acts as a bot after infection.

This archive does not exploit any Java vulnerability. It was chosen as the infection vector because Java applications can run on multiple platforms with ease; thus this method widens the infection to a greater number of users. We have seen this type of attack in the past using executable files.

Infection_Flow1

The key to decrypt the config file was encrypted with Base 64 [see Figure 2]. Decoding it, we end up with the hex bytes. Further converting the hex bytes to ASCII, we get the decryption key [see Figure 3] to decrypt the config.dat file.

Key

Figure 2: Base 64-encoded key file.

Decryption_Key

Figure 3: Decryption key to the “config.dat” file.

 

With the decryption key, we saw that the config.dat file is encrypted using the Triple-DES algorithm. Executing the Triple-DES snippet gave us the plain config file, which holds the information about the backdoor connection. That data includes IP address, port number, operating system, mutex information, and password for the connection [see Figure 4].

Plain_Config

Figure 4: Plain config file.

On execution, the JAR file opens the backdoor connection to the IP address and the port mentioned in the plain config file. Once the backdoor connection is made, the compromised user environment will act as the server and the attacker will be the client. The attacker can now take control of the victim’s system and can execute any commands. We found that these types of malicious JAR files can be built from a remote administration tool that is readily available online. Using the tool, anyone can build the malicious JAR package.

Tool

Figure 5: Server build dashboard.

Figure 5 shows the dashboard to build the server binary, which is later sent to innocent users. The dashboard makes clear what a binary built using this tool can do. Here are some of the activities:

  • Set the encryption key to encrypt key.dat, which is used to encrypt the plain config file
  • Set the IP address and port number through which the back door will be opened
  • Start the server component on every reboot so that the file will run every time
  • The malicious file can be bundled with a legitimate file and can be dropped and executed in the background, without the user consent
  • Select the operating system to target
  • Copy itself to all available drives on the system

Once the system is compromised, it will act as a bot through which the attacker can execute commands to control the system. The actions and others can be performed by the attacker:

  • Record the user screen
  • Record keystrokes
  • Access the file system
  • Access the command prompt
  • Download and execute binary files
  • Trigger DDoS using HTTP POST and GET requests
  • Shut down/restart/lock/log out of the system

Our research found that this JAR package was sent as an attachment in a spam email.

Spam_Email

Figure 6: Malware sent as attachment in a spam email.

We detect all malicious JAR packages related to this threat as JV/BackDoor-FAZY. It is always good practice to scan any email attachment with an up-to-date antimalware product.

 

Here is a simple demonstration of how this malware binary can be used by an attacker to execute commands on an infected system:

Youtube

I would like to thank my friend and colleague Rajesh Natraj Kumar Pillai for his input and assistance with this analysis.