022. That's How FIN7 Uses Malicious JAR Files
Let's start from how these files were delivered to the compromised system - it's also very interesting. First, the adversary sent a large volume of spam messages (over 3000). Shortly after the victim received a Teams call. The threat actor impersonated a help desk specialist and asked to allow a remote screen control session through Teams. Using this session to drop malicious files to the compromised system.
And yes, the first stage is a JAR file, which was executed through the same remote session:
C:\Users\Public\Documents\MailQueue-Handler\jdk-23.0.1\bin\javaw.exe -jar C:\Users\Public\Documents\MailQueue-Handler\MailQueue-Handler.jar
Another malicious JAR file leveraged by the threat actors is a credential harvester:
“C:\Users\Public\Documents\MailQueue-Handler\jdk-23.0.1\bin\javaw.exe” -jar C:\Users\Public\Documents\MailQueue-Handler\identity.jar
Similar email bombing case was covered by Rapid7 in December 2024. The adversary also used a malicous JAR file named identity.jar:
As you can see, JAR files are not that rare, so it's a good candidate for your threat hunting missions!
See you tomorrow!
Comments
Post a Comment