FOCUS MODE
EXTRACT IOC
Threat Research

Downloader Malware Written in JPHP Interpreter

Ahnlab
Downloader Malware Written in JPHP Interpreter
A recent discovery by AhnLab Security Intelligence Center (ASEC) revealed malware that utilizes JPHP, a PHP interpreter for the Java Virtual Machine. This malware effectively distributes Java Runtime Environment (JRE) packaged within ZIP files, enabling the execution of malicious code without requiring a separate JAVA environment. It notably employs Telegram as a command-and-control (C2) mechanism to alter its operations flexibly. The malware mainly appears to distribute data breach tools like Strrat and Danabot. Affected: malware victims, software development, cybersecurity.

Keypoints :

  • Malware was discovered created with JPHP, which runs on the Java Virtual Machine.
  • JPHP allows for PHP code to be used in a Java environment and is faster due to JIT compilation.
  • Malware is distributed as a ZIP file containing JRE and various libraries.
  • Execution is initiated by a .exe file that runs javaw.exe with specified libraries.
  • Malware includes a JPHP file containing .phb files, which convert PHP into bytecode.
  • Threat actors use Telegram for additional C2 communications and instruction delivery.
  • Mazware is primarily designed to download further malware, including Strrat and Danabot.
  • Emphasizes the importance of reviewing executable file sources to prevent malware infections.

MITRE Techniques :

  • T1203 – Exploitation for Client Execution: The malware exploits the execution of the .exe file that triggers JPHP.
  • T1071 – Application Layer Protocol: Uses Telegram for C2 communication, allowing for dynamic C2 address modifications.
  • T1070 – Indicator Removal on Host: The malware disables Windows Defender behavior monitoring features.
  • T1484 – Domain Credential Dumping: Use of the t.me domain for redirecting to malicious C2.

Indicator of Compromise :

  • [MD5] 1b5548083e151b54a63cb933d5cbe274
  • [MD5] 230c1d520f88a66698d522805bafe883
  • [MD5] 4a54c8367d6cf067fbad8ce3da50b65e
  • [MD5] c2d457714e7079fa6b423156071a3860
  • [MD5] d87a34d70a672339d6b8c7b563eb8e7d
  • [IP] 49[.]13[.]143[.]126
  • [IP] 5[.]75[.]208[.]125
  • [IP] 89[.]23[.]96[.]126

Full Story: https://asec.ahnlab.com/en/86859/

Tags: EMAIL, CREDENTIAL, WINDOWS, DISCOVERY