Multi-platform Backdoor Lurks in Colombian Transport Site

We recently came across a compromised Colombian Transport website where the malware author utilizes social engineering by displaying a signed applet upon visiting the page.

Here is what is shown if visited using Windows:

ff_sig (46k image)

And using MacOS:

mac_sig (52k image)

The JAR file checks if the user’s machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform.

jar_code (123k image)

All three files for the three different platforms behave the same way. They all connect to 186.69.87.249 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux, and Windows respectively. As of writing, the server has not given any code.

The files are detected as:
Trojan-Downloader:Java/GetShell.A (sha1: 4a52bb43ff4ae19816e1b97453835da3565387b7)
Backdoor:OSX/GetShell.A (sha1: b05b11bc8520e73a9d62a3dc1d5854d3b4a52cef)
Backdoor:Linux/GetShell.A (sha1: 359a996b841bc02d339279d29112fe980637bf88)
Backdoor:W32/GetShell.A (sha1: 26fcc7d3106ab231ba0ed2cba34b7611dcf5fc0a)

The MacOSX sample is a PowerPC binary, as such, executing the file in an Intel-based platform will require Rosetta:

intel (30k image)

The C&C and hacked website have been reported.

Thanks to Brod for the payload analysis.


On 09/07/12 At 04:06 PM

Read more: Multi-platform Backdoor Lurks in Colombian Transport Site

Story added 9. July 2012, content source with full text you can find at link above.