Hackers Abuse Amazon & GitHub to Deploy Java-based Malware

Hackers target these platforms due to their hosting of valuable resources and data.

For financial gain or some other bad motive, the hackers intrude on these platforms to steal data, deploy malicious software, or launch other cyber attacks.

Cybersecurity analysts at FortiGuard Labs uncovered that hackers actively abuse Amazon and GitHub to deploy Java-based malware.

Amazon & GitHub Abused

FortiGuard Labs found a phishing campaign tricking users into downloading malicious Java downloaders, which were aimed at spreading new VCURMS and STRRAT RATs. 

It’s been discovered that the malware hosted on AWS and GitHub was obfuscated via a commercial protector.

The attacker uses email for C2 by leveraging privacy-focused Proton Mail service at the victim’s end.

Attack flow (Source – Fortinet)

Phishing emails lure victims to click the button, downloading malicious AWS-hosted JAR downloaders with obfuscated strings.

The downloader fetches and runs two more JARs that use a commercial “Sense Shield Virbox Protector” obfuscator with a trial expiration notice. 

Unusual RAT communicates via email, persists via the Startup folder, identifies victims by computer name/Volume ID, and then checks the email subject for ID to execute commands in the body. 

Keylogger and password stealer disguised as JPGs on AWS were downloaded via PowerShell.

It provides shell command execution, file upload/download, and malware installation. 

In this campaign, top malware uses the Branchlock obfuscator, which the Narumii/Deobfuscator aids in partially decoding. 

Upon receiving the “recovery” command, the program is deployed to steal system info, browser data, and app details to %USERPROFILE%\AppData\cookie as st.jar.

Discord and Steam are the apps that are targeted along with the top browsers like Brave, Chrome, Edge, Firefox, Opera, OperaGX, Vivaldi, and Yandex to collect the following types of system information:-

  • Network information
  • Computer information
  • Hardware information
  • Process lists
  • Screenshots

The program named VCURMS gathers app account details, cookies, browsing history, and passwords, storing them in %USERPROFILE%/<username>. Unlike Rude Stealer, it sends stolen data via the same path and email address as the main program.

VCURMS (Source – Fortinet)

Keylogger is stored in %USERPROFILE%\AppData\cookie\klog.jar, which records the keystrokes.

“windows.jar” executes additional actions like sending logs back. 

STRRAT is a Java-based RAT that can be used as a keylogger and extract credentials.

By 2023, it was found to use ZKM and Allatori for evasion. 

The recent attack campaign observed by FortiGuard Labs still uses Allatori and Branchlock for obfuscation.

Decoding the config file reveals server info and ID “Khonsari” with Base64 and AES decryption using the “strigoi” passphrase.

The attack launches malware simultaneously by using STRRAT and new Java-based VCURMS.

VCURMS handles C&C but also deploys modified Rude Stealer, a keylogger for data theft.

Threat actor obfuscates code and attempts C&C via email.

IOCs

E-mails

  • copier@ferrellengineering[.]com
  • sacriliage@proton[.]me

Domains

  • bankofindustry[.]s3[.]us-east-2[.]amazonaws[.]com
  • riseappbucket[.]s3[.]ap-southeast-1[.]amazonaws[.]com
  • ofornta[.]ddns[.]net
  • jbfrost[.]live
  • backinghof[.]ddns[.]net

Files

  • 97e67ac77d80d26af4897acff2a3f6075e0efe7997a67d8194e799006ed5efc9
  • 8d72ca85103f44742d04ebca02bff65788fe6b9fc6f5a411c707580d42bbd249
  • 588d6f6feefa6273c87a3f8a15e2089ee3a063d19e6a472ffc0249298a72392d
  • 8aa99504d78e88a40d33a5f923caf7f2ca9578031d004b83688aafdf13b3b59f
  • c0d0dee9b8345da3c6cf3e1c3ce5b5b6e8c9e4002358517df1e3cd04c0f0b3d1

With Perimeter81 malware protection, you can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits. All are incredibly harmful and can wreak havoc on your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Tushar Subhra

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

6 hours ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

6 hours ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

7 hours ago

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…

8 hours ago

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one notable…

9 hours ago

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…

9 hours ago