Most malware security researchers encounter in the wild is written in C or C++. These languages provide low-level system access and control, plus performance, allowing threat actors to create highly efficient and stealthy code. But that doesn’t mean cybercriminals are limited to those two languages.
SecurityScorecard recently reverse-engineered the Vjw0rm worm written in JavaScript and the Java-based STRRAT remote access trojan (RAT). This will help security teams protect against these specific threats and provide a general approach for analyzing JavaScript and Java malware.
Analyzing malicious JavaScript code – Vjw0rm
Vjw0rm is a worm that spreads via USB drives. It has RAT (Remote Access Trojan) capabilities, implementing different commands transmitted by the C2 server. It establishes persistence on a machine by copying to the Startup folder and creating a Run registry entry.
The malware drops a Java-based RAT called STRRAT, which we will cover in more detail below.
JavaScript malware can be an infection vector leading to serious threats such as ransomware and spyware.
JavaScript malware usually goes through a few levels of obfuscation to disguise its intent. So, the first step in reverse engineering JavaScript malware is to find a way to extract the relevant information. To do so, you can use tools such as js-beautify, which we used in our technical analysis of Vjw0rm. After deploying the tool, we identified a Base64-encoded string.
Base64-encoded string (image 1), Decoding Base64 using the decodeBase64 function (image 2)
Another tool we used is box-js, which can execute and analyze a JavaScript file. The script generates a random string consisting of a maximum of 10 characters using the “Math.random()” function. The “longText” variable is Base64-decoded, and its content is saved in a “.txt” file. The resulting file is a malicious JAR called STRRAT. JAR stands for JavaArchive, and it’s Java’s equivalent of a .zip file, where multiple files are aggregated into one.
For more details of our analysis, please read the full whitepaper on Vjw0rm.
Analyzing malicious Java code – STRRAT
STRRAT is a Java-based malware that executes multiple commands transmitted by the C2 server. The functionalities of the implemented commands include:
- Reboot the machine
- Uninstall the malware and delete all its traces
- Update the initial JAR file
- Execute commands using cmd and powershell
- Open/delete/download/upload files specified by the C2 server
- Perform keylogger activities
- Retrieve a list of running processes
- Implement a reverse proxy on the machine
- Install RDPWrap that enables Remote Desktop Host support
- Steal passwords from multiple browsers and email clients
- Attempt to elevate privileges
- Implement a functional ransomware module.
The malware establishes persistence by creating a scheduled task called “Skype”.
We can use a tool like Recaf to analyze the malicious JAR file. As shown below, the initial code is obfuscated using the Allatori Obfuscator:
After using the Java deobfuscator to deobfuscate the JAR, we can start digging for more information.
The configuration file called “config.txt” is decrypted using the AES algorithm, with the key derived from the “strigoi” string:
The first decrypted parameter from the configuration represents the primary C2 server, and the second is the primary C2 port. The fourth and fifth parameters contain the secondary C2 server and port.
The C2 server transmits multiple elements that are delimited by “|”. The first one is the command that STRRAT will execute:
STRRAT commands include reboot, shutdown, uninstall, remote-cmd, keylogger, etc.
Learn more details about STRRAT and all of its commands by reading our full technical analysis.
Protect yourself from malware attacks with SecurityScorecard
Whether you want to test and bolster your cyber resilience or recover from an ongoing attack, the SecurityScorecard platform and team of experts can provide the insights, data, and expertise you need. Here are just some of SecurityScorecard’s products and services you can use to protect against cyberattacks:
Prevent future disruptions with personalized, up-to-date, and precision-built data.
Digital Forensics & Incident Response
Effectively manage your data breach response with a team of experts that will quickly triage the situation to stop further damage, provide communication guidance, investigate the source, and provide actionable post-incident reporting.
Strengthen your defenses by battle-testing your security controls and safely exploiting vulnerabilities in your environment.
Test your organization’s defenses with intelligence-led threat scenarios to perform a simulated, real-life cyber attack.
Personalized exercises based on real-world incidents that test your ability to respond to cyberattacks and data breaches.
