JBifrost: A Song of Ice and Malware

14. September 2016 Java RAT 0
JBifrost: A Song of Ice and Malware

In this new post, I’ll talk about a current and active threat which is nowadays known as JBifrost, but previously known as JSocket/Alienspy/Unrecom/Adwind/Frutas (a lot of names since 2012!).
The most generic name being Adwind.

This malware is categorized as a Remote Access Trojan (RAT) and has the particularity to be coded in Java.

Adwind and me

This post was prompted by the publication of a recent blog post by Fortinet (I’ll come back to it later).

Indeed, I’ve been tracking this specific threat since the end of 2015, when Adwind was called JSocket.
I read a lot of analysis on this piece of malware at this time, like (in chronological order):

I also did a light reverse-engineering on the JAR files that were distributed by various actors (most of the time, Nigerian skiddies) and reluctantly came back to Java coding…
The obfuscation of the JAR made me cringe a lot, but I found an easy way around:
I began to regularly check the following GitHub project: kevthehermit / RATDecoders

(Note: thanks to @kevthehermit for the project and Jurg who did a lot of commit about this specific threat).

This made me more familiar with the way JSocket was handling its configuration (and how the RAT developer was treating malware analysts with this string value: “kevthehermitisacompletegaywhatfuckwithhismotherXDXDXD”).


[Technical stuff mode = on]

At the time, the configuration was extracted as follows:

  1. One file in the JAR is XORed with a static key present in the Java code (like the one before)
  2. This file was a simple XML file containing a list of entries, with one indicating the entry “SERVER”, which contained the name of a second file which was encrypted
  3. Depending on the version, the configuration was encrypted with RC4 or RC6 stream ciphers (with a twist beginning on version 2.6, the developer simply changed the default number of rounds and the P and Q chosen for RC6).
  4. To decrypt the configuration file, the algorithm needed a dynamic key formed by the concatenation of one static key and the “PASSWORD” entry of the XML file.
  5. Once decrypted it was possible to access the configuration of the RAT (JAR_FOLDER, JAR_NAME, NETWORK-PORT, NETWORK-DNS, NICKNAME, etc…)

To protect the configuration, the developer regularly changed the name of the first encoded file, its XOR key and the encryption static key. Between December 2015 and February 2016, there was more than 10 changes on these parameters to avoid this type of automated analysis.

[Technical stuff mode = off]


This proved that the developer regularly monitored his RAT on the Internet.

“Off with your head. Dance ’til you’re dead.”

At the end of February 2016, an important security player, Kaspersky, published a dossier on the possible link of this malware to an individual probably located in Mexico: Adwind – A cross platform RAT (Kaspersky, 2016)

A short time after this publication, as indicated in the Fortinet post, the site jsocket.org was taken down as a result (the domain is still active though).

This trend isn’t new as the malware developer already took down his AlienSpy domain after the  Fidelis Security paper in 2015 (source: Java Based Trojans (Anthony Kasza, 2016)).

However, in  March, a new Twitter handle (@jsocketRat) twittered happily during one single day. He indicated, he took a break and was operating underground at the moment:

jsocketisback

He took the time to rant on JRat (@java_rat), his rival on the market.

He also indicated his Skype handle at the same time: jsocketrat
Finally, he continued the development of the RAT as can be seen on the following screen (Dates were: 2016-03-09):

twitgrabber
This was the only public apparition made after the shutdown of the website from the JSocket handle.

“Germaine, Germaine, une java ou un tango”

Since February, we were seeing less and less samples of Java malware. Some actors switched to JRat, others came back to the good old Zeus.

However this was a short term respite… In the middle of the July heat, I received a wake-up call from a warm country. A story which began with a cleverly crafted spam (usurpation of e-mail, signature, etc…) and ended with several users clicking happily on a JAR file.

This sample was unknown by our antivirus at the time, still it detected the network activity as corresponding to Adwind (ETPRO rules were updated on the 07/07/2016).

At the time, I didn’t knew the new brand with which this malware was advertised, but I knew it was definitively the same person behind the previous JSocket RAT.
Indeed, a quick review of the code, gave me a definitive hint. The developer was still using the same obfuscation method, but dropped entirely the XOR and RC6 decryption.

By quickly checking the import list, I saw several new ones, including: java.security.interfaces.RSAPrivateKey and javax.crypto.spec.SecretKeySpec

As well, as several references to jrat.io (domain name of JRat) in several places in the code (see this sample). This is clearly another rant from the developer.

I will come back on these in a technical follow-up post…

“Welcome hell, hay que eliminarlo!”

In mid-August, still in the warmth of summer (winter in Rio), a news came to my ears concerning the new rebranding of Adwind. Thanks to @_ddoxer and @rommeljoven17, I now had the confirmation that JSocket was dropped for the new trendy name “JBifrost“.

The version indicated in the article was the following:

  • 1.0.0 = 05/15/2016
  • 1.0.1 = 05/26/2016
  • 1.1.0 = 07/22/2016
  • 1.1.1 = ??? (bug in the interface or beta version?)

So in the background, the previous customer were informed of this change and could download again this remake.

One question remained though. Why this name?

I came to this answer by a bit of Googling… One graphic not shown in the Fortinet blog features a graphic design.  By reverse-searching this image, I simply found out that the JBifrost graphic is coming directly from the Marvel Comics series Thor.

membership

But now, a new question pops-up, when did this new domain (jbifrost.com) came into life?

The name was registered on the 02/10/2016. That is to say, only two days after the publication of Kaspersky!
Needless to say, the developer used a privacy protection for this domain registration (still using WhoisGuard based in Panama).
It’s hosted since the 02/14/2016 on the same co-hosted server from Name Cheap.

The website is using IPS Community Suite (Invision Power) for the forum and the store, which doesn’t have the HTML5 responsive design as the previous website (yes, it counts!).

Since the Fortinet publication, the site is now closed for inscription.
Your best chance is to contact “Admin” via Skype, Jabber or e-mail…

“Motherfucker got fucked up ’cause he got in the way'”

I’m currently monitoring new samples and came across several campaigns since Adwind rebirth as JBifrost.

The customers are still primarily skiddies living in West African countries, however, we can also see some in South America as well.
It seems that there is still two subscription schemes, one for basic infection and another for more sophisticated infection (list of antivirus/firewall processes to kill or bypass).

Most often, the samples contact a C&C server based generally in malware-friendly countries (Russia primarily).

The developer is still very active, “professional” and provides for his customers.

There is still a lot to do to protect against it and teach users how to not open this “RFQ Urgent.jar” or “OrderList.jar” file, even if the e-mail looks legit.

To sum-up, it’s still the same-old recipe, but with another package… (No, Apple is not using these shenanigans!)coda

Note: For those interested by some samples, contact me on Twitter: @moutonplacide