Monday, February 10, 2025
HomeCyber Security NewsHackers Abuse Amazon & GitHub to Deploy Java-based Malware

Hackers Abuse Amazon & GitHub to Deploy Java-based Malware

Published on

SIEM as a Service

Follow Us on Google News

Hackers target these platforms due to their hosting of valuable resources and data.

For financial gain or some other bad motive, the hackers intrude on these platforms to steal data, deploy malicious software, or launch other cyber attacks.

Cybersecurity analysts at FortiGuard Labs uncovered that hackers actively abuse Amazon and GitHub to deploy Java-based malware.

Amazon & GitHub Abused

FortiGuard Labs found a phishing campaign tricking users into downloading malicious Java downloaders, which were aimed at spreading new VCURMS and STRRAT RATs. 

It’s been discovered that the malware hosted on AWS and GitHub was obfuscated via a commercial protector.

The attacker uses email for C2 by leveraging privacy-focused Proton Mail service at the victim’s end.

Attack flow (Source - Fortinet)
Attack flow (Source – Fortinet)

Phishing emails lure victims to click the button, downloading malicious AWS-hosted JAR downloaders with obfuscated strings.

The downloader fetches and runs two more JARs that use a commercial “Sense Shield Virbox Protector” obfuscator with a trial expiration notice. 

Unusual RAT communicates via email, persists via the Startup folder, identifies victims by computer name/Volume ID, and then checks the email subject for ID to execute commands in the body. 

Keylogger and password stealer disguised as JPGs on AWS were downloaded via PowerShell.

It provides shell command execution, file upload/download, and malware installation. 

In this campaign, top malware uses the Branchlock obfuscator, which the Narumii/Deobfuscator aids in partially decoding. 

Upon receiving the “recovery” command, the program is deployed to steal system info, browser data, and app details to %USERPROFILE%\AppData\cookie as st.jar.

Discord and Steam are the apps that are targeted along with the top browsers like Brave, Chrome, Edge, Firefox, Opera, OperaGX, Vivaldi, and Yandex to collect the following types of system information:-

  • Network information
  • Computer information
  • Hardware information
  • Process lists
  • Screenshots

The program named VCURMS gathers app account details, cookies, browsing history, and passwords, storing them in %USERPROFILE%/<username>. Unlike Rude Stealer, it sends stolen data via the same path and email address as the main program.

VCURMS (Source - Fortinet)
VCURMS (Source – Fortinet)

Keylogger is stored in %USERPROFILE%\AppData\cookie\klog.jar, which records the keystrokes.

“windows.jar” executes additional actions like sending logs back. 

STRRAT is a Java-based RAT that can be used as a keylogger and extract credentials.

By 2023, it was found to use ZKM and Allatori for evasion. 

The recent attack campaign observed by FortiGuard Labs still uses Allatori and Branchlock for obfuscation.

Decoding the config file reveals server info and ID “Khonsari” with Base64 and AES decryption using the “strigoi” passphrase.

The attack launches malware simultaneously by using STRRAT and new Java-based VCURMS.

VCURMS handles C&C but also deploys modified Rude Stealer, a keylogger for data theft.

Threat actor obfuscates code and attempts C&C via email.

IOCs

E-mails

  • copier@ferrellengineering[.]com
  • sacriliage@proton[.]me

Domains

  • bankofindustry[.]s3[.]us-east-2[.]amazonaws[.]com
  • riseappbucket[.]s3[.]ap-southeast-1[.]amazonaws[.]com
  • ofornta[.]ddns[.]net
  • jbfrost[.]live
  • backinghof[.]ddns[.]net

Files

  • 97e67ac77d80d26af4897acff2a3f6075e0efe7997a67d8194e799006ed5efc9
  • 8d72ca85103f44742d04ebca02bff65788fe6b9fc6f5a411c707580d42bbd249
  • 588d6f6feefa6273c87a3f8a15e2089ee3a063d19e6a472ffc0249298a72392d
  • 8aa99504d78e88a40d33a5f923caf7f2ca9578031d004b83688aafdf13b3b59f
  • c0d0dee9b8345da3c6cf3e1c3ce5b5b6e8c9e4002358517df1e3cd04c0f0b3d1

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

NetSupport RAT Grant Attackers Full Access to Victims Systems

The eSentire Threat Response Unit (TRU) has reported a significant rise in incidents involving...

Quishing via QR Codes Emerging as a Top Attack Vector Used by Hackers

QR codes, once a symbol of convenience and security in digital interactions, have become...

New ‘BYOTB’ Attack Exploits Trusted Binaries to Evade Detection, Researchers Reveal

A recent cybersecurity presentation at BSides London 2024 has unveiled a sophisticated attack technique...

SAML Bypass Authentication on GitHub Enterprise Servers to Login as Other User Account

A severe security vulnerability, tracked as CVE-2025-23369, has been identified in GitHub Enterprise Server...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

NetSupport RAT Grant Attackers Full Access to Victims Systems

The eSentire Threat Response Unit (TRU) has reported a significant rise in incidents involving...

Quishing via QR Codes Emerging as a Top Attack Vector Used by Hackers

QR codes, once a symbol of convenience and security in digital interactions, have become...

New ‘BYOTB’ Attack Exploits Trusted Binaries to Evade Detection, Researchers Reveal

A recent cybersecurity presentation at BSides London 2024 has unveiled a sophisticated attack technique...