4. Presentation Overview
• Introduction
• Intro to java, jars, and
java based threats
• Java Threats
• Current threat landscape
• Defensive Techniques
• Analysis and detection
techniques
• Demo
• Unpacking, deobfuscating, reading
5. Java Basics
• Rich ecosystem
• JVM vs JDK vs JRE
• Often used to teach OOP
• Compiles to bytecode
• Similar to Python
• Simple to disassemble
• Architecture agnostic
• Cross platform JDK
JRE
Dev tools
JRE lib source
JVM
Libraries
7. JAR (Java ARchive) Basics
• JAR vs Zip format
• Contents are
called resources
• Class files
• Header 0xCAFEBABE
• Constant pools
• Manifest
• META-INF/MANIFEST.MF
• Key:Values
• Similar to HTTP headers
JAR
manifest
a.class b.class
c.class d.class
a.jpg b.ico a.png
8. Java RAT Basics
• Various levels of maturity
• E.g. BlueBanana vs Adzok vs jSocket
• Most are kits/builders
• stub Jars
• Many use common libraries
• VirusTotal detections are often inaccurate
• jRat != Jacksbot (aka jRat)
• IMO too many RATs are detected as jRat
• Frutas != Adwind != Jsocket != etc.
• Or does it?
• IMO too many RATs are detected as Adwind
9. Other Java Threats
• Banload and other droppers / downloaders
• Java Ransomware
• PoC on Github [37]
• From what I can tell, written by two high school
students
• Not distributed ITW
• jbd – bind shell in java
• https://scoperchiatore.wordpress.com/java-
backdoor/
• Javafog – APT Java backdoor
10. A Brief Tangent: Javafog
• Identified by Kaspersky
• Malicious Jar which beaconed to
same domain as Icefog samples
• Windows specific
• Targeted?
• But then why Java?
12. Common Libraries
• java.util.prefs – persistence mechanism
• Windows: registry
• Linux: hidden files in user’s home/ dir
• OSX: ~/Library/Preferences/
• Commonly (mis)used libraries
• Sigar
• Bridj
• Slf4j
• JNA / JNI [35]
• jnativehook
• Kryonet
• webcam-capture [36]
• Runtime.getRuntime().exec()
• E.g. Javafog
13. Adversary Types
• Opportunistic actors
• Forum skiddies and phishing/spam
• Financially motivated actors
• Banking users in Brazil (banload) [40]
• Bank systems in Singapore (adwind) [11]
• Actors targeting something specific
• PackRat – CitizenLab, Dec 2015 (Adzok, AlienSpy)
• Latin American [13]
• JavaFog – Kaspersky, Jan 2014
• Manul campaign – EFF, 2016 (jRat) [34]
16. Things That Come in Jars
Frutas
Adwind
Unrecom
AlienSpy
jSocket
jBifrost
Adzok
BlueBanana
Crimson
jCage
jFect
jRAT
jSpy
OS Celestial
Quaverse
Quarallax
OmniRAT
Ratty
Feb 2012
Jan 2013
Nov 2013
Oct 2014
July 2015
Sept 2012
2010 ?
Oct 2012
July 2013
Nov 2015
Oct 2012
Dec 2013
May 2015
Jun 2015
Nov 2015
Jun 2016
May 2016
Feb 2016
17. Things That Come in Jars
Frutas
Adwind
Unrecom
AlienSpy
jSocket
jBifrost
Adzok
BlueBanana
Crimson
jCage
jFect
jRAT
jSpy
OS Celestial
Quaverse
Quarallax
OmniRAT
Ratty
Feb 2012
Jan 2013
Nov 2013
Oct 2014
July 2015
Sept 2012
2010 ?
Oct 2012
July 2013
Nov 2015
Oct 2012
Dec 2013
May 2015
Jun 2015
Nov 2015
Jun 2016
May 2016
Feb 2016
18. Things That Come in Jars
Frutas
Adwind
Unrecom
AlienSpy
jSocket
jBifrost
Adzok
BlueBanana
Crimson
jCage
jFect
jRAT
jSpy
OS Celestial
Quaverse
Quarallax
OmniRAT
Ratty
Feb 2012
Jan 2013
Nov 2013
Oct 2014
July 2015
Sept 2012
2010 ?
Oct 2012
July 2013
Nov 2015
Oct 2012
Dec 2013
May 2015
Jun 2015
Feb 2016
Nov 2015
Jun 2016
May 2016
20. Frutas Lineage: Frutas
• Frutas PoC emerged early 2012 [2]
• Includes a simple ASCII readable ‘config.txt’ or
‘config.xml’ file
• Writes ‘frautas.lock’ file to temporary directory to
avoid concurrent executions
• Became popular among Spanish speaking
criminals circa July 2012 [1]
24. Frutas Lineage: Adwind
• Emerged early 2013 from a rebranded Frutas [3]
• Subsequent variants began using obfuscation [4]
• Same named resources (capital vs lower case)
• Support for Android (APK binder) introduced
• Modular plugins
33. Frutas Lineage: jSocket
• AlienSpy domain taken down after
Fidelis report (April 2015)
• jSocket emerged July 2015 [10]
• Similar to AlienSpy but used
subscription model (SaaS)
• Kaspersky estimates Jsocket (Adwind) author
[11]:
• made $200,000 per year
• sold to 1,800 customers
36. Frutas Lineage: jBifrost
• Minor feature improvements from jSocket [38]
• Controller can tell if user is typing
• Serialized decryption keys in implants
38. Adzok (aka Adsocks)
• Emerged 2010ish
(0.7.0 was around in January of 2011) [12]
• Free version used by PackRat group [13]
• Open Source [14], Free, and Pro Versions
• Still active:
• Sold online from Boliva [15]
• Twitter profile’s latest tweet was July 2015) [16]
• Similarities to Frutas
• Creates lock file
• Free version is Windows only
• Similar XML configuration file elements
43. BlueBanana
• Emerged September 2012
• Obfuscated
• Encoded strings
• Class file names
• Beacons with a configured password in its first
data packet
• No longer developed
46. Crimson
• Oldest forum post I could find was dated Oct 2012
[17]
• The builder’s “about” section claims December 2013
• Encrypted communications
• AES
• Blowfish
• DES
• Triple DES
• Drops settings files into one of:
• sqlite database ‘Psettings.db’ – v1.2.3
• base64 encoded ‘settings.properties’ – v1.3.0
• No file dropped – v2.1.0
50. jCage
• Emerged July 2013
• Makes use of jnativehook lib
• Seems to be focused on Windows systems
• I could not find a sample which executed on OSX
53. qRat (Qarallax/Quaverse)
• Emerged May 2015
• Three stage JAR loader [20]
• SaaS model (similar to jSocket)
• Used a hardcoded IPv4 and domains
• Only runs on windows
• A second version in the wild [32] recently
• Downloads auxiliary Jars from qarallax[.]com
• Runs on Macs too!
• Used to compromise US Visa applicants in Switzerland
over Skype [33] – 6 June 2016
56. jRat (aka Jacksbot)
• Emerge Oct 2012
• Portions are open sourced by redpoins0n
• Plugins, scripts, uninstaller, and auxiliary tools
• https://github.com/java-rat
• Again, not everything is jRat
• Persists using [19]
• OSX: a LaunchAgent plist
• Linux: ~/.config/autostart
• Windows: Registry run key
58. jFect
• Emerged Nov 2015
• Heavily obfuscated
• IRC or HTTP communications
• LaunchAgent plist for persistence on OSX
• Just like every other Java RAT
62. OmniRAT
• Emerged Nov 2015
• Multi OS implant and panel support
• Android control panel
• Hardcoded C2 (doesn’t use a configuration file)
• Android version can spread via SMS [21]
65. jSpy and OS Celestial
• jSpy emerged Dec 2013, OS Celestial is likely a
second version
• Open source library reuse
• Similar features
• Similar configuration file options
• Similar configuration parsing classes
• Overlap in domain builders beacon to
• jstealth.co[.]uk
• jstealth[.]net
• Detectable by files it drops on Windows
• Uses LaunchAgent plists for persistence on OSX
67. jSpy and OS Celestial
jSpy plist file for persistence on OSX
68. Ratty
• Was actively being developed on Github [22]
• Seems Windows is further developed than OSX
(further than Linux)
• Used a simple xor over its configuration file
• Palo Alto Networks saw this RAT being
distributed in the wild around April 5 of this year
• Disappeared from Github a few months ago
72. Common Java RAT Behaviors
• Obfuscators, protectors, cryptors
• Anti-vm and anti-analysis tricks
• Very long and random(ish) resource names
• Many AV’s cannot determine which family
• Hide Jar implant
• Hidden directories or temp folders
• Persistence
• Registry, startup folder, plists (KnockKnock)
• Beacon
• Variable between families
73. Packers, Obfuscators, Bundlers
• Allatori
• Zelix Klassmaster (aka Zelix aka ZKM)
• launch4j (jar to exe)
• Jar Bundler (removed in OS X Mountain Lion 10.8.2)
• JarToApp
• https://github.com/redpois0n/JarToApp
• jCrypt
• jarProtector
• jFuzzle
75. Jar Deobfuscation
• Deofuscation logic is in the JAR somewhere
• Decompile class files
• Search for methods wrapping strings passed to
other methods
• If those methods do math manipulations on a
string, re-implement in Python
• Eclipse conditional breakpoints [23] [24] [25]
• Demo to follow
80. RATDecoders
• Github repository by kevthehermit [27]
• Contains static configuration decoding scripts for
many RATs
• Not just Java based ones
• Fantastic resource for building a static Intel
pipeline
• Combine with VirusTotal, Laikaboss [28], etc
• A handful of vendors are doing this internally
81. Pitfalls and Oversights
• Yara rules based on resource names
work except when they don’t
• Jarinjarloader is tricky
• set as the main-class in a jar’s manifest
• It then loads a different class
(from a URL or from itself)
• Manifest files are not required for
Jars to execute
82. Key Take Away Items
Java RATs emerged ~2010
Still not extremely popular
Their use is growing
Used by spectrum of actors
Look at the tools I mentioned, they work well
Reach out if you’re interested in
collaborating or have questions