Hackers Abuse Amazon & GitHub to Deploy Java-based Malware

Hackers target these platforms due to their hosting of valuable resources and data.

For financial gain or some other bad motive, the hackers intrude on these platforms to steal data, deploy malicious software, or launch other cyber attacks.

Cybersecurity analysts at FortiGuard Labs uncovered that hackers actively abuse Amazon and GitHub to deploy Java-based malware.

Amazon & GitHub Abused

FortiGuard Labs found a phishing campaign tricking users into downloading malicious Java downloaders, which were aimed at spreading new VCURMS and STRRAT RATs. 

It’s been discovered that the malware hosted on AWS and GitHub was obfuscated via a commercial protector.

The attacker uses email for C2 by leveraging privacy-focused Proton Mail service at the victim’s end.

Phishing emails lure victims to click the button, downloading malicious AWS-hosted JAR downloaders with obfuscated strings.

The downloader fetches and runs two more JARs that use a commercial “Sense Shield Virbox Protector” obfuscator with a trial expiration notice. 

Unusual RAT communicates via email, persists via the Startup folder, identifies victims by computer name/Volume ID, and then checks the email subject for ID to execute commands in the body. 

Keylogger and password stealer disguised as JPGs on AWS were downloaded via PowerShell.

It provides shell command execution, file upload/download, and malware installation. 

In this campaign, top malware uses the Branchlock obfuscator, which the Narumii/Deobfuscator aids in partially decoding. 

Upon receiving the “recovery” command, the program is deployed to steal system info, browser data, and app details to %USERPROFILE%\AppData\cookie as st.jar.

Discord and Steam are the apps that are targeted along with the top browsers like Brave, Chrome, Edge, Firefox, Opera, OperaGX, Vivaldi, and Yandex to collect the following types of system information:-

• Network information
• Computer information
• Hardware information
• Process lists
• Screenshots

The program named VCURMS gathers app account details, cookies, browsing history, and passwords, storing them in %USERPROFILE%/<username>. Unlike Rude Stealer, it sends stolen data via the same path and email address as the main program.

Keylogger is stored in %USERPROFILE%\AppData\cookie\klog.jar, which records the keystrokes.

“windows.jar” executes additional actions like sending logs back. 

STRRAT is a Java-based RAT that can be used as a keylogger and extract credentials.

By 2023, it was found to use ZKM and Allatori for evasion. 

The recent attack campaign observed by FortiGuard Labs still uses Allatori and Branchlock for obfuscation.

Decoding the config file reveals server info and ID “Khonsari” with Base64 and AES decryption using the “strigoi” passphrase.

The attack launches malware simultaneously by using STRRAT and new Java-based VCURMS.

VCURMS handles C&C but also deploys modified Rude Stealer, a keylogger for data theft.

Threat actor obfuscates code and attempts C&C via email.

IOCs

E-mails

• copier@ferrellengineering[.]com
• sacriliage@proton[.]me

Domains

• bankofindustry[.]s3[.]us-east-2[.]amazonaws[.]com
• riseappbucket[.]s3[.]ap-southeast-1[.]amazonaws[.]com
• ofornta[.]ddns[.]net
• jbfrost[.]live
• backinghof[.]ddns[.]net

Files

• 97e67ac77d80d26af4897acff2a3f6075e0efe7997a67d8194e799006ed5efc9
• 8d72ca85103f44742d04ebca02bff65788fe6b9fc6f5a411c707580d42bbd249
• 588d6f6feefa6273c87a3f8a15e2089ee3a063d19e6a472ffc0249298a72392d
• 8aa99504d78e88a40d33a5f923caf7f2ca9578031d004b83688aafdf13b3b59f
• c0d0dee9b8345da3c6cf3e1c3ce5b5b6e8c9e4002358517df1e3cd04c0f0b3d1

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.