We recently came across a compromised Colombian Transport website where the malware author utilizes social engineering by displaying a signed applet upon visiting the page.
Here is what is shown if visited using Windows:
And using MacOS:
The JAR file checks if the user's machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform.
All three files for the three different platforms behave the same way. They all connect to 18.104.22.168 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux, and Windows respectively.
The files are detected as: Trojan-Downloader:Java/GetShell.A (sha1: 4a52bb43ff4ae19816e1b97453835da3565387b7) Backdoor:OSX/GetShell.A (sha1: b05b11bc8520e73a9d62a3dc1d5854d3b4a52cef) Backdoor:Linux/GetShell.A (sha1: 359a996b841bc02d339279d29112fe980637bf88) Backdoor:W32/GetShell.A (sha1: 26fcc7d3106ab231ba0ed2cba34b7611dcf5fc0a)
The MacOSX sample is a PowerPC binary, as such, executing the file in an Intel-based platform will require Rosetta:
The C&C and hacked website have been reported.
Thanks to Brod for the payload analysis.
Changed typo error on IP address (from 22.214.171.124 to 126.96.36.199). Thanks Costin for spotting this!