022. That's How FIN7 Uses Malicious JAR Files

Hello everyone! Yesterday we talked about malicious JAR files. And guess what? I just ran into a fresh report from Sophos MDR team - they show how notorious FIN7 uses such files.

Let's start from how these files were delivered to the compromised system - it's also very interesting. First, the adversary sent a large volume of spam messages (over 3000). Shortly after the victim received a Teams call. The threat actor impersonated a help desk specialist and asked to allow a remote screen control session through Teams. Using this session to drop malicious files to the compromised system.

And yes, the first stage is a JAR file, which was executed through the same remote session:

C:\Users\Public\Documents\MailQueue-Handler\jdk-23.0.1\bin\javaw.exe -jar C:\Users\Public\Documents\MailQueue-Handler\MailQueue-Handler.jar

Another malicious JAR file leveraged by the threat actors is a credential harvester:

“C:\Users\Public\Documents\MailQueue-Handler\jdk-23.0.1\bin\javaw.exe” -jar C:\Users\Public\Documents\MailQueue-Handler\identity.jar

Similar email bombing case was covered by Rapid7 in December 2024. The adversary also used a malicous JAR file named identity.jar:


As you can see, JAR files are not that rare, so it's a good candidate for your threat hunting missions!

See you tomorrow!

Comments

Popular posts from this blog

033. Free Google Threat Intelligence Course

001. The Zeltser Challenge

012. They Want to Know Everything About Your System!