JACKSBOT Has Some Dirty Tricks up Its Sleeves
Contrary to initial reports, JACKSBOT may not be as low risk as initially thought. We noted some JACKSBOT infection in the wild, indicating that the people behind this multiplatform malware are saving their best tricks for last.
We analyzed the JACKSBOT backdoor family (specific detection name JAVA_JACKSBOT.A) that arrives as a Java application. Because it is a Java application, it can run on any platform that supports the Java Runtime Environment. When it was first reported, it was considered low risk and no actual infection was recorded. However, days after the report was released, Trend Micro successfully cleaned two infection counts; one in Australia and one in Malaysia. This indicates that the malware is now being distributed in the wild.
There is a possibility that this malware presents itself as a Minecraft modification to unsuspecting users as it contains the special command “MC” for stealing Minecraft passwords from the compromised system.
Using a decompiler, I was able to see how this malware performs its dirty work. As seen in the screenshot below, the malware checks the OS currently running on the system.
JACKSBOT can also be considered as a remote access Trojan (RAT), which is capable of taking control of the compromised system with some of the following backdoor commands:
However, the malware’s focus is mainly on Windows. The malware writers behind JACKSBOT may just be testing the waters for a successful multiplatform malware; however for now they appear to be unwilling to invest the time and resources to develop the code more completely. Consider this excerpt of the malware’s code focusing on Windows as seen below:
For those familiar with running Linux and Mac, the system command “LOGOUT” may be done in Linux and Mac, but the malware writer did not choose to do so – which would make sense, given that his main target platform is Windows.
A deeper look into the malware’s routines reveals that it is capable of visiting URLs, creating files and/or folders, running shell commands as well as executing and ending programs. It can also steal information by logging keystrokes and mouse events.
JACKSBOT’S information stealing capabilities is useless if it cannot properly log it into a file. However, this is also covered by the malware for all target OSes. Other commands that may be bothersome to users include displaying message boxes, stealing system information and files, visiting remote URLs, performing DDoS attacks and capturing screen shots.
With the tight market competition among OSes and the growing market for Mac OS X, it’s efficient for cybercriminals to write multiplatform malware rather than OS specific binaries. Although there are only 2 infections right now, JACKSBOT and its kin may in fact be the next trend in the threat landscape considering the rapidly changing market. Additionally, it is likely that the authors will continue to improve the code to fully support infection for OS X and Linux.
Users with JACKSBOT infected system may unknowingly be giving away all important data to someone else. This malware also allows cybercriminals to modify the affected system. Thus, users should be cautious before downloading files from suspicious URLs, especially cracks or hacks, as these may lead to the system compromise.
The Trend Micro Smart Protection Network detects and deletes JAVA_JACKSBOT.A if it is found on user systems.
With additional insights from Roland dela Paz