Incidents

Encrypted Java Archive Trojan bankers from Brazil

I have never bought a PlayStation and neither has my colleague Micha-san from Japan – well, in his case, at least not from Brazil. Nonetheless, we both received the same email notification:

208216073

In this instance cybercriminals from Brazil have used a new, yet very strange technique – spreading Trojan bankers via .Jar files. I say strange because even if you just click on a .jar file, it won’t run unless you type “java -jar filename.jar” in the console; however this did not stop Brazilian cybercriminals and they even managed to spoof our email traps in Japan!

Let’s take a look inside one such Brazilian Java Archive banker. The very first detection on VT 2014-02-01 13:18:57   0/50

After uncompressing and then disassembling, you will see the code
encrypted with a substation cipher. This is how the code looks like
before it’s decrypted:

encrypted_java_1
The substation cypher routine is embedded into the code and this is
an example of how  it works:

encrypted_java_2
The complete table of substituted chars is this:

encrypted_java_3
After decryption, the same code looks like this:

encrypted_java_4
This small 14Kb .jar banker works as a downloader and is detected by
Kaspersky Anti-Virus as Trojan.Java.Agent.da

Once it infects a victim’s machine, it creates a fake Google Chrome
folder where it stores the newly downloaded banker from the
mentioned URL. It also sends the victim’s PC information to a remote
server, which is already down.

Why have cybercriminals from Brazil now switched from Delphi to
Java? Perhaps this is a new generation of cybercriminals who no
longer receive Delphi classes.

You may follow me on twitter: @dimitribest

Encrypted Java Archive Trojan bankers from Brazil

Your email address will not be published. Required fields are marked *

 

Reports

Focus on DroxiDat/SystemBC

An unknown actor targeted an electric utility in southern Africa with Cobalt Strike beacons and DroxiDat, a new variant of the SystemBC payload. We speculate that this incident was in the initial stages of a ransomware attack.

APT trends report Q2 2023

This is our latest summary of the significant events and findings, focusing on activities that we observed during Q2 2023.

Meet the GoldenJackal APT group. Don’t expect any howls

GoldenJackal is an APT group, active since 2019, that usually targets government and diplomatic entities in the Middle East and South Asia. The main feature of this group is a specific toolset of .NET malware, JackalControl, JackalWorm, JackalSteal, JackalPerInfo and JackalScreenWatcher.

Subscribe to our weekly e-mails

The hottest research right in your inbox