<<<
NEWS FROM THE LAB - Monday, July 9, 2012
>>>
 

 
Multi-platform Backdoor Lurks in Colombian Transport Site Posted by Karmina @ 16:06 GMT

We recently came across a compromised Colombian Transport website where the malware author utilizes social engineering by displaying a signed applet upon visiting the page.

Here is what is shown if visited using Windows:

ff_sig (46k image)

And using MacOS:

mac_sig (52k image)

The JAR file checks if the user's machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform.

jar_code (123k image)

All three files for the three different platforms behave the same way. They all connect to 186.87.69.249 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux, and Windows respectively.

The files are detected as:
Trojan-Downloader:Java/GetShell.A (sha1: 4a52bb43ff4ae19816e1b97453835da3565387b7)
Backdoor:OSX/GetShell.A (sha1: b05b11bc8520e73a9d62a3dc1d5854d3b4a52cef)
Backdoor:Linux/GetShell.A (sha1: 359a996b841bc02d339279d29112fe980637bf88)
Backdoor:W32/GetShell.A (sha1: 26fcc7d3106ab231ba0ed2cba34b7611dcf5fc0a)

The MacOSX sample is a PowerPC binary, as such, executing the file in an Intel-based platform will require Rosetta:

intel (30k image)

The C&C and hacked website have been reported.

Thanks to Brod for the payload analysis.

Update:

Changed typo error on IP address (from 186.69.87.249 to 186.87.69.249). Thanks Costin for spotting this!

The JAR file appears to be generated using the Social-Engineer Toolkit.