Java malware copies passwords

June 25, 2020
| No comments
G Data News

Share post

G Data researchers reveal: Java malware copies passwords and also enables remote control via RDP.

A newly discovered malware developed in Java can copy access data, remotely control the victim's computer and execute other commands. The integrated ransomware component is not yet fully functional.

Analysts from G DATA CyberDefense warn of new malware developed in Java. If the malware is active on a system, criminals can read passwords from browsers and the e-mail program. Since the malware has a remote access function (RAT), an attacker can also take control of the infected system remotely. The Remote Desktop Protocol (RDP) is used for this - a modified version of the “rdpwrap” tool (https://github.com/stascorp/rdpwrap) is downloaded in the background. In the modified version, hidden RDP access is possible.

In addition, the malware has - currently still - rudimentary ransomware components. So far, however, there is no encryption here, only a renaming of the files. Since malware is often continuously developed, this could change in future versions.

Unexpected: new Java malware

“The current malware is unusual, we haven't seen any new Java malware for a long time,” says Karsten Hahn, Virus Analyst at G DATA. "With the malware that we have analyzed, we can already see attempted infections among our customers."

With the present path of infection, the malware cannot run without Java. It can be assumed that the person who wrote the software has experimented. However, there is already a feature that downloads and installs the Java runtime environment right before infection with the Java malware. Anyone who has already installed a version of the Java Runtime Environment (JRE) on the computer is vulnerable to infection.

RDP access has traditionally been a popular means of criminals to gain access to systems in company networks. Companies, on the other hand, use RDP access for maintenance work and sometimes for remote work. Within a company network, care should therefore be taken to keep a close eye on RDP traffic in order to be able to notice abnormalities immediately. Further technical details and graphics can be found in the tech blog article of our analyst Karsten Hahn.

More on this at GData.de

 

Matching articles on the topic

Quantum-safe encryption

A provider of solutions that seamlessly extend Privileged Access Management (PAM) now offers effective protection against threats ➡ Read more

New Russian malware Kapeka discovered

The security experts at WithSecure have exposed Kapeka. The new malware appears to have ties to the Russian hacker group Sandworm. Several factors ➡ Read more

Lancom LCOS with root password vulnerability 

Lancom and the BSI report a configuration bug for the LCOS operating system: A vulnerability with the CVSS value of 6.8 can ➡ Read more

XenServer and Citrix Hypervisor vulnerabilities

Citrix warns of two vulnerabilities in XenServer and Citrix Hypervisor. The security vulnerabilities are only moderately serious, but there is still one ➡ Read more

Successful phishing: Attackers attack MFA service providers for Cisco Duo 

Cisco calls its Zero Trust security platform “Duo” for short. Their access is protected by state-of-the-art multi-factor authentication (MFA). Through a ➡ Read more

North Korean state hackers are relying on new espionage tactics

First talk, then hack: The North Korean hacker group TA427 tries to address foreign policy experts in a rather unspectacular way in order to get their point of view ➡ Read more

Disinformation campaigns from China

The report that China is allegedly disrupting and manipulating elections by using AI-generated content to spread disinformation should not be ➡ Read more

OT security status report

A recent survey of industrial companies worldwide – including Germany – paints a worrying picture about the state of OT security ➡ Read more

Short news
, , ,