A recent malware campaign targeting both Windows and Linux systems has been uncovered, revealing advanced evasion and credential theft techniques. The Sysdig Threat Research Team (TRT) discovered this operation, which started with a malicious Python script uploaded through a misconfigured system. This allowed for the download of crypto-miners and the deployment of stealthy tools for evasion and data exfiltration.
This sophisticated attack utilized different tactics for Linux and Windows, adapting its approach based on the operating system of the target. On Windows systems, the attackers utilized a Python function to install the Java Development Kit (JDK), enabling the execution of a Java Archive (JAR) file obtained from a previously active command-and-control (C2) server. The JAR file, known as application-ref.jar, acted as a loader, initiating a series of malicious components.
Within the JAR’s resources, two files named INT_D.DAT and INT_J.DAT were deployed to the victim’s machine. The malware then utilized a ProcessBuilder command with suspicious flags like -noverify and -XX:+DisableAttachMechanism, commonly used in malicious Java processes to avoid detection and disable debugging.
The most concerning payloads included several infostealers embedded within the final JAR. These components were responsible for credential theft from Chrome extensions, token harvesting from Discord via HTTP header inspection, and hardware and system reconnaissance using PowerShell and WebSockets. Additionally, a native DLL file named app_bound_decryptor.dll was delivered, performing XOR encoding/decoding, manipulating Windows named pipes, and incorporating sandbox evasion checks.
This campaign underscores the ongoing risks associated with misconfigured systems and the importance of effective detection strategies. Vulnerabilities like exposed web interfaces can allow remote attackers to upload and execute malicious scripts, leading to a broader compromise. To mitigate threats of this nature, organizations should implement behavior-based monitoring, anomaly detection, and layered runtime security controls.
Techniques such as YARA scanning, process behavior analysis, and DNS monitoring can help organizations identify and respond to suspicious activity early on. By staying vigilant and implementing robust security measures, businesses can better protect themselves against evolving cyber threats.