X-Labs
September 9, 2020

Java Network Launch Protocol - Another way for distributing Java downloaders

Forcepoint X-Labs have recently been monitoring emerging malware distribution campaigns that utilize the Java platform. Java downloaders have been a known threat for quite a while, yet there is at least one unexplored feature of the platform that helps to automate malware download and execution. The Java Network Launch Protocol (JNLP) was intended to be a simple mechanism for starting remote Java applications by double clicking on the equivalent of a Windows Link file. It is currently being leveraged as a novel way to auto-execute malicious Java files.

What is Java Web Start?

Java Web Start or Java Network Launch Protocol - as programmers often refer to it - is a protocol using the XML markup language. It was designed  for the sole purpose of automatically starting Java applications from a remote location. For that to work the JNLP file must contain a host address and path of the target Java application package (JAR) to be downloaded and executed. Once the user double clicks on a JNLP file, Java would attempt to reach out to the host described in the XML structure, download the specified JAR package and, if successful, execute it. The only prerequisite is the existence of the Java Runtime Environment (JRE) on the local PC.

Side note: If you are unsure whether you have Java installed on your machine, you can perform a quick check as per this guide.

If you do, it might be worth flagging to your IT team. We have been warning of the vulnerable nature of Java since at least 2013.

 

It is rather obvious that this functionality provides an appealing opportunity for automating the download and execution of a malicious file.

The Italian Job

Malicious spam campaigns utilizing a JNLP attachment - either as-is, or inside a ZIP archive -   started to appear in recent weeks. The messages seem to be coming from the INPS (Istituto Nazionale della Previdenza Sociale) which is the main entity of Italy's public retirement system. Interestingly enough, the INPS website was subject to attack in early 2020 as Italian citizens started to apply for benefits; but this time their name is being used as a lure, such is the organization’s relevance.

 

It is encouraging people to have a look at their balance and claim a refund by opening the attachment. The logo of INPS is included, however taking a closer look at the sender address, the clumsily written message body, and the attachment, make it easy to see that it is suspicious. Opening the JNLP attachment in a text editor clearly reveals the first stage C2 address.

 

First stage

Visiting the remote location from anywhere but an Italian IP address will result in the server  ignoring the request. Considering the exclusively Italian message body along with the .it destination email address indicates the use of geofencing. Whilst visiting the C2 address from the right location results in the download of a small JAR application around 6kb in size. Upon further inspection, this JAR package contains only one Java Class, which is unusual for a benign Java application. Decompilation of the Java bytecode results in a short piece of source code, with yet another suspicious looking remote location and the official website of the INPS. The latter one acting as a decoy, it would be opened in a browser while "nazionale.jpg" is being silently downloaded and executed in the background.

 

Second stage

The second stage C2 contains the final payload in the chain and is also geofenced. Successful download of the "nazionale.jpg" file will only occur if it was requested from an accepted geolocation. Note that in certain cases the content of the "nazionale.jpg" file was later replaced by a benign PuTTY telnet client application before the C2 would become unresponsive - likely the result of a takedown operation.

 The payloads

The binaries we’ve been seeing deployed on the second stage C2 were two of a kind so far. Either an NSIS archive with only one embedded file inside, which would be loaded directly into memory and executed by the NSIS script, or a small executable with a custom exepacker on top of it. The commonality between them is the distribution of one of the popular banking trojans, ISFB IAP, a well-known Gozi fork.

Small scale campaigns

There have been only a handful of small-scale campaigns where JNLP files were utilized, with less than a thousand email messages for each, and their attributes changing frequently. The email attachments were quickly altered for the INPS themed emails, instead of JNLP they were reverting back to documents with Excel 4.0 macros within a couple of days. In June Trustwave noted a COVID-19 themed lure pushing TrickBot. We observed yet another completely different JNLP based campaign pushing the NetWire RAT recently. These frequent changes are just reflections of the common TTPs used by threat actors behind these campaigns.

Conclusion

Having autostart functionality in popular applications or platforms doesn't necessarily mean they are safe to use or were created with security in mind. Most likely they just haven't been explored and exploited by cybercriminals yet. The Web Start feature of Java is a perfect example that showcases this technique, and has been waiting silently to be revisited by cybercriminals many years after its first malicious use in 2013. Organizations - unless they heavily rely on it - are advised to block JNLP file attachments at the gateway level to prevent unwanted execution along with its consequences.

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack: 

  • Stage 2 (Lure) – Malicious emails associated with these attacks are identified and blocked.
  • Stage 5 (Dropper File) – Malicious files are prevented from being downloaded.
  • Stage 6 (Call Home) – Attempts to contact C2 servers are blocked.

IOCs

C2 Servers

  • hxxp://social.interactivegood[.]com/
  • hxxp://gstat.americansreachingmanyservices[.]com/
  • hxxp://gstat.rayzacastillo[.]com/images/
  • hxxp://social.farfetchedproductions[.]com/
  • hxxps://line.campdiy[.]com/
  • hxxp://gstat.farmlifesupplements[.]com/images/
  • hxxps://payreceipt[.]top/receipt/
  • hxxps://transferreceipt[.]xyz/bin/

JNLPs

  • 0776f05b3dd4d3e64d67f546c96db8eaeda43dc0
  • eb754e01f809b42bcf3675a8bd4e5481eab8d08f
  • b8aa4fbba139b8f783a52c3ba8e8a4091eaf0c05

JARs

  • 10c733da7668d037bd743430523403197641715a
  • 45e2fdc19e91f2264e11a97c70e3ba1d86e8a678
  • f9419377e43e8e8a911924face6c1660c85957c2

EXEs

  • cd2faa0ea08db2a1c9c430891c4a82304d3add57
  • e525bde63dfb455358c5f827b409c2bf2bc3caf6
  • 05e39e5621f3ca78556d9b345b9e3519d066e4bc
  • 8724aaa2cfdbbb2832ffa278c23a11ad04902b5d
  • 40065d1f0bf0b901b339ce476f62295f5e6f8c40
  • d4e84b7d26bf91c8c5ae104f6467204df5f069cb

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.