Java Malware Reconsidered, or, Java Brews a Fresh Bot of Malware

At Virus Bulletin 2011, we presented on the exploding level of delivered Java exploits this year with “Firing the roast – Java is heating up again”. We examined CVE-2010-0840 exploitation in detail, along with variants of its most common implementation on the web and some tools and tips for analysis. Microsoft’s security team presented findings for 2011 that mirrored ours in relation to Java exploit prevalence on the web – it is #1! At the same time, aside from the recent, well-known BEAST Java implementation, it is striking that it has been very uncommon to see Java backdoors, Trojans and spyware. But that lack of Java malware variety is beginning to change. My colleague, malware analyst Roman Unucheck, identified a new Java bot with some interesting characteristics that we named “Backdoor.Java.Racac”.

Our “Backdoor.Java.Racac” detection is delivered to the field, but no one shows a detection on Virustotal at this point (another upload wouuld remedy that). What makes this fresh Java sample interesting is its contemporary functionality set:

  1. Mobile Twitter Communications
  2. Effective encryption implementation – algorithms include private and public key use, cipher block chaining
  3. Exhaustive list of DDoS capabilities – HTTP Flooder, UDP Flooders, Raw Socket Flooder along with exhaustive SOCKS proxy capabilities to hide the true source of the bot infection
  4. Geolocation tracking and reporting
  5. Download and execute arbitrary code
  6. Ability to identify automated analysis tools and kill itself to delay family detection
  7. Proper AWT implementation of cross platform screenshotting
  8. Full cross platform portability – runs on Windows, Linux, Apple OS X
  9. Etc

This object oriented code is well developed and its style clear. The jar file itself is only 131 kb, which makes this java bot a size comparable to other common bots and RATs infecting victim systems. With samples like these, we can expect to see more java malware than the usual list of Java exploits that we’ve seen in 2011. We will be posting soon with more, unusual, and recent Java malware.

Java Malware Reconsidered, or, Java Brews a Fresh Bot of Malware

Your email address will not be published. Required fields are marked *



Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

What did DeathStalker hide between two ferns?

While tracking DeathStalker’s Powersing-based activities in May 2020, we detected a previously unknown implant that leveraged DNS over HTTPS as a C2 channel, as well as parts of its delivery chain. We named this new malware “PowerPepper”.

Subscribe to our weekly e-mails

The hottest research right in your inbox