The Latest in IT Security

Multi-platform Backdoor Lurks in Colombian Transport Site

09
Jul
2012

We recently came across a compromised Colombian Transport website where the malware author utilizes social engineering by displaying a signed applet upon visiting the page.

Here is what is shown if visited using Windows:

ff_sig (46k image)

And using MacOS:

mac_sig (52k image)

The JAR file checks if the user’s machine is running in Windows, Mac or Linux then downloads the appropriate files for the platform.

jar_code (123k image)

All three files for the three different platforms behave the same way. They all connect to 186.69.87.249 to get additional code to execute. The ports are 8080, 8081, and 8082 for OSX, Linux, and Windows respectively. As of writing, the server has not given any code.

The files are detected as:
Trojan-Downloader:Java/GetShell.A (sha1: 4a52bb43ff4ae19816e1b97453835da3565387b7)
Backdoor:OSX/GetShell.A (sha1: b05b11bc8520e73a9d62a3dc1d5854d3b4a52cef)
Backdoor:Linux/GetShell.A (sha1: 359a996b841bc02d339279d29112fe980637bf88)
Backdoor:W32/GetShell.A (sha1: 26fcc7d3106ab231ba0ed2cba34b7611dcf5fc0a)

The MacOSX sample is a PowerPC binary, as such, executing the file in an Intel-based platform will require Rosetta:

intel (30k image)

The C&C and hacked website have been reported.

Thanks to Brod for the payload analysis.

Leave a reply


Categories

TUESDAY, MARCH 19, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments