G Data researchers reveal: Java malware copies passwords and also enables remote control via RDP.
A newly discovered malware developed in Java can copy access data, remotely control the victim's computer and execute other commands. The integrated ransomware component is not yet fully functional.
Analysts from G DATA CyberDefense warn of new malware developed in Java. If the malware is active on a system, criminals can read passwords from browsers and the e-mail program. Since the malware has a remote access function (RAT), an attacker can also take control of the infected system remotely. The Remote Desktop Protocol (RDP) is used for this - a modified version of the “rdpwrap” tool (https://github.com/stascorp/rdpwrap) is downloaded in the background. In the modified version, hidden RDP access is possible.
In addition, the malware has - currently still - rudimentary ransomware components. So far, however, there is no encryption here, only a renaming of the files. Since malware is often continuously developed, this could change in future versions.
Unexpected: new Java malware
“The current malware is unusual, we haven't seen any new Java malware for a long time,” says Karsten Hahn, Virus Analyst at G DATA. "With the malware that we have analyzed, we can already see attempted infections among our customers."
With the present path of infection, the malware cannot run without Java. It can be assumed that the person who wrote the software has experimented. However, there is already a feature that downloads and installs the Java runtime environment right before infection with the Java malware. Anyone who has already installed a version of the Java Runtime Environment (JRE) on the computer is vulnerable to infection.
RDP access has traditionally been a popular means of criminals to gain access to systems in company networks. Companies, on the other hand, use RDP access for maintenance work and sometimes for remote work. Within a company network, care should therefore be taken to keep a close eye on RDP traffic in order to be able to notice abnormalities immediately. Further technical details and graphics can be found in the tech blog article of our analyst Karsten Hahn.
More on this at GData.de