Incidents

Encrypted Java Archive Trojan bankers from Brazil

I have never bought a PlayStation and neither has my colleague Micha-san from Japan – well, in his case, at least not from Brazil. Nonetheless, we both received the same email notification:

208216073

In this instance cybercriminals from Brazil have used a new, yet very strange technique – spreading Trojan bankers via .Jar files. I say strange because even if you just click on a .jar file, it won’t run unless you type “java -jar filename.jar” in the console; however this did not stop Brazilian cybercriminals and they even managed to spoof our email traps in Japan!

Let’s take a look inside one such Brazilian Java Archive banker. The very first detection on VT 2014-02-01 13:18:57   0/50

After uncompressing and then disassembling, you will see the code
encrypted with a substation cipher. This is how the code looks like
before it’s decrypted:

encrypted_java_1
The substation cypher routine is embedded into the code and this is
an example of how  it works:

encrypted_java_2
The complete table of substituted chars is this:

encrypted_java_3
After decryption, the same code looks like this:

encrypted_java_4
This small 14Kb .jar banker works as a downloader and is detected by
Kaspersky Anti-Virus as Trojan.Java.Agent.da

Once it infects a victim’s machine, it creates a fake Google Chrome
folder where it stores the newly downloaded banker from the
mentioned URL. It also sends the victim’s PC information to a remote
server, which is already down.

Why have cybercriminals from Brazil now switched from Delphi to
Java? Perhaps this is a new generation of cybercriminals who no
longer receive Delphi classes.

You may follow me on twitter: @dimitribest

Encrypted Java Archive Trojan bankers from Brazil

Your email address will not be published. Required fields are marked *

 

Reports

APT trends report Q3 2024

The report features the most significant developments relating to APT groups in Q3 2024, including hacktivist activity, new APT tools and campaigns.

Subscribe to our weekly e-mails

The hottest research right in your inbox