Most malware security researchers encounter in the wild is written in C or C++. These languages provide low-level system access and control, plus performance, allowing threat actors to create highly efficient and stealthy code. But that doesn’t mean cybercriminals are limited to those two languages.
Vjw0rm is a worm that spreads via USB drives. It has RAT (Remote Access Trojan) capabilities, implementing different commands transmitted by the C2 server. It establishes persistence on a machine by copying to the Startup folder and creating a Run registry entry.
The malware drops a Java-based RAT called STRRAT, which we will cover in more detail below.
Base64-encoded string (image 1), Decoding Base64 using the decodeBase64 function (image 2)
For more details of our analysis, please read the full whitepaper on Vjw0rm.
Analyzing malicious Java code – STRRAT
STRRAT is a Java-based malware that executes multiple commands transmitted by the C2 server. The functionalities of the implemented commands include:
- Reboot the machine
- Uninstall the malware and delete all its traces
- Update the initial JAR file
- Execute commands using cmd and powershell
- Open/delete/download/upload files specified by the C2 server
- Perform keylogger activities
- Retrieve a list of running processes
- Implement a reverse proxy on the machine
- Install RDPWrap that enables Remote Desktop Host support
- Steal passwords from multiple browsers and email clients
- Attempt to elevate privileges
- Implement a functional ransomware module.
The malware establishes persistence by creating a scheduled task called “Skype”.
We can use a tool like Recaf to analyze the malicious JAR file. As shown below, the initial code is obfuscated using the Allatori Obfuscator:
After using the Java deobfuscator to deobfuscate the JAR, we can start digging for more information.
The configuration file called “config.txt” is decrypted using the AES algorithm, with the key derived from the “strigoi” string:
The first decrypted parameter from the configuration represents the primary C2 server, and the second is the primary C2 port. The fourth and fifth parameters contain the secondary C2 server and port.
The C2 server transmits multiple elements that are delimited by “|”. The first one is the command that STRRAT will execute:
STRRAT commands include reboot, shutdown, uninstall, remote-cmd, keylogger, etc.
Learn more details about STRRAT and all of its commands by reading our full technical analysis.
Protect yourself from malware attacks with SecurityScorecard
Whether you want to test and bolster your cyber resilience or recover from an ongoing attack, the SecurityScorecard platform and team of experts can provide the insights, data, and expertise you need. Here are just some of SecurityScorecard’s products and services you can use to protect against cyberattacks:
Prevent future disruptions with personalized, up-to-date, and precision-built data.
Effectively manage your data breach response with a team of experts that will quickly triage the situation to stop further damage, provide communication guidance, investigate the source, and provide actionable post-incident reporting.
Strengthen your defenses by battle-testing your security controls and safely exploiting vulnerabilities in your environment.
Test your organization’s defenses with intelligence-led threat scenarios to perform a simulated, real-life cyber attack.
Personalized exercises based on real-world incidents that test your ability to respond to cyberattacks and data breaches.