021. Do You Think This Java.exe is Legitimate?

Hello everyone! Today we're going to talk about malicious JAR files, and look at activity cluster we track as Bloody Wolf, which mostly targets Kazakhstan.


So, this cluster leverages phishing emails to deliver PDF documents, which contain links to malicious JAR files. Interesting enough, such PDF files even have instructions on how to download and install Java. One may think that adversaries won't compromise anybody using such approah. And won't be right. Recent campaign we tracked led to hundreds of systems being compromised!

 Ok, let's look at some detection opportunities:

  • Execution of JAR files from unexpected locations using java.exe -jar
  • Creation of scheduled tasks for JAR files with schtasks
  • Network connections to pastebin[.]com initiated by JAR files
These are just a few examples, there are more, of course! Spotted it? Share in the comments section!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!