A Cross-platform Java-bot

Early this year, we received a malicious Java application for analysis, which turned out to be a multi-platform bot capable of running on Windows, Mac OS and Linux. The bot was written entirely in Java. The attackers used vulnerability CVE-2013-2465 to infect users with the malware.

Initializing and decrypting strings

To make analyzing and detecting the malware more difficult, its developers used the Zelix Klassmaster obfuscator. In addition to obfuscating bytecode, Zelix encrypts string constants. Zelix generates a different key for each class – which means that in order to decrypt all the strings in the application, you have to analyze all the classes in order to find the decryption keys.

String initialization and decryption is implemented in the static initializer code (<clinit>).

Encrypted string initialization

The algorithm is as follows: take the current index of an encrypted character in the string, calculate the remainder from its division by 5 and choose the current key depending on the result. Next, identify the decrypted character by performing module 2 bitwise addition with the key selected.

String decryption

For a specific case, the decryption algorithm looks as follows:

Python implementation of the decryption algorithm

The launch

When launched, the bot copies itself into the user’s home directory and sets itself to run at system startup. Depending on the platform on which the bot has been launched, the following method is used for adding it to autostart programs:

  1. For Windows – HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
  2. Mac OS – the standard Mac OS service launchd is used
  3. For Linux – /etc/init.d/

The bot’s body contains an encrypted configuration file for the launchd service.

Decrypted configuration file for the launchd service

After launching and setting itself to run at system startup, the bot needs to report this to its owners. To provide a means of identifying each bot, a unique bot identifier is generated on each user machine. The identifier is saved to the file jsuid.dat in the user’s home directory.

Contents of jsuid.dat

Controlling the bot

The bot is controlled via the IRC protocol. This leads us to one more curious feature of this malware – it uses the PircBot open framework to implement communication via IRC. The malware includes all the classes needed for the purpose.

After launching, the malware initiates connection to an IRC server.

Connecting to an IRC server

After successfully establishing a connection, the bot joins a predefined channel and waits for the attackers’ commands:

Joining an IRC channel

Main functionality

The bot is designed to conduct DDoS attacks from infected user machines.

The bot supports two flood types:

  • HTTP
  • UDP

Which attack type is to be used is specified by an attacker in the IRC channel for zombie machines. In addition, the following parameters are specified:

  • Address of the computer to be attacked
  • Port number
  • Attack duration
  • Number of threads to be used in the attack

Generating headers during an HTTP flood attack

The User-Agent value to be inserted into an HTTP request is selected randomly from a list stored in the bot’s body in encrypted form.

Decrypted list of User Agent values supported by the bot

When analyzing the malware, we detected an attempt to attack a bulk email service.

Command to launch an attack

Kaspersky Lab detects this malware as HEUR:Backdoor.Java.Agent.a.

We would like to thank Zoltan Balazs, CTO at MRG Effitas, for sharing a sample of the malware with us.

A Cross-platform Java-bot

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox