As we have noted before, attackers will leverage any file format they can to evade security protections put in place by their targets. (https://cofenselabs.com/all-you-need-is-text/).
On Jun 11, 2020 we noticed an odd file extension show up in our analysis pipeline.
It was a jnlp file. The jnlp extension is short for “Java Network Launch Protocol” and is a filetype used by Java with Java Web Start to load a java application. The file itself is a simple XML based format that is easily readable. This however did not stop this file type from evading a secure email gateway and finding its way in to a real estate industry mailbox.
The jnlp file format utilizes a similar URL building logic as we’ve seen in another technique dubbed ‘basestriker’ where by the primary domain and the path are separate entities. This may be the reason that this file format was selected. Below is the text of one of those files:
If this file was clicked and the user had java installed a couple of things would happen:
1) Java would load up the WHO website to make the user think the file is legitimate.
2) Java will also load the domain plus the “map.jar” file as the path and pull down and execute that jar file.
We analyzed this and found that once the jar file is loaded, it downloads an exe which further loads TrickBot. This can be seen in the following decompilation of that file:
Traffic analysis of the infection chain confirmed our findings with typical C2 traffic that is seen from TrickBot, but with a gtag we have not seen before, chil.
While TrickBot is not a new threat, this delivery chain is highly unusual. Leveraging the coronavirus as a lure as well as an uncommon file type likely to evade secure email gateways for delivery, and it’s not hard to see how this could be a very effective campaign.
MD5 (Application-Covid19.jnlp) = 51c0790a43c22efd4972b98283c45a98
MD5 (SARS-2_Form.jnlp) = 51c0790a43c22efd4972b98283c45a98
MD5 (map.exe) = dda70ed5f8e93b2456f593e8da46e464
MD5 (map.jar) = a716ca7b680734cb0ea6fa479b4da7a7