Downloader Malware Written in JPHP Interpreter
AhnLab SEcurity intelligence Center (ASEC) recently discovered malware created using JPHP. JPHP is a PHP interpreter that runs on the Java Virtual Machine (JVM), and it was designed to allow PHP code to be used in a Java environment. It can convert PHP code into Java bytecode for execution, enabling direct calls to Java libraries. Additionally, it is faster than PHP because it uses a just-in-time (JIT) compilation method.
Figure 1. JPHP
The initial file of the malware found this time is distributed in ZIP file format. It contains the Java Runtime Environment (JRE) package and a list of libraries. When the .exe file is executed, it performs the role of a runner that executes javaw.exe with the files located under the “lib\” path as arguments.
In other words, this malware is distributed with JRE included, so it is configured to operate without a separate JAVA environment. The commandline for executing javaw is as follows:
"{Package Path}\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "lib\.;lib\..;lib\activation.jar;lib\asm-all.jar;lib\commons-email.jar;lib\dn-php-sdk.jar;lib\gson.jar;lib\jfoenix.jar;lib\jkeymaster.jar;lib\jna.jar;lib\jphp-app-framework.jar;lib\jphp-core.jar;lib\jphp-desktop-ext.jar;lib\jphp-desktop-hotkey-ext.jar;lib\jphp-gui-ext.jar;lib\jphp-gui-jfoenix-ext.jar;lib\jphp-json-ext.jar;lib\jphp-jsoup-ext.jar;lib\jphp-mail-ext.jar;lib\jphp-runtime.jar;lib\jphp-systemtray-ext.jar;lib\jphp-xml-ext.jar;lib\jphp-zend-ext.jar;lib\jphp-zip-ext.jar;lib\jsoup.jar;lib\mail.jar;lib\slf4j-api.jar;lib\slf4j-simple.jar;lib\zt-zip.jar" org.develnext.jphp.ext.javafx.FXLauncher
Figure 2. Unzipped ZIP file and libraries under the “lib\” path
The .jar package marked with a red box in Figure 2 above is a JPHP file that contains .phb files that convert PHP into bytecode. Because the .phb file has a different structure from the signature of a typical .class file (0xCA 0xFE ..), the bytecode viewer cannot recognize it properly.
Figure 3. The phb file opened with bytecodeviewer
Converting the .phb file so that it can be recognized as a .class file allows for decompilation and code analysis. Analysis results show that it is a type of malware that downloads additional malware, known as a downloader. The C2 and characteristics of this malware are described below.
Figure 4. Initial C2 communication
Figure 5. Disabling the behavior monitoring feature of Windows Defender
It has been confirmed that the threat actor used Telegram to secure an additional C2. They used the “t.me” domain in Telegram’s short URL format and uploaded the IP of the additional C2 to the channel profile that is checked upon access. Threat actors instruct users to access this URL and use the IP value found between the “i1il” strings as their additional C2.
As the IP address obtained from the URL can be easily modified by threat actors, they can change the C2 address without directly controlling the infected PC.
Figure 6. Importing additional C2 from the webpage
Figure 7. Site accessed to add C2
This feature is capable of downloading and executing additional malware. At the time of analysis, the file was not downloaded from the URL, making further analysis difficult. However, according to the analysis conducted through our analysis infrastructure, this type of malware may have mainly distributed data breach-type malware such as Strrat and Danabot.
Figure 8. Additional malware download
This post described malware developed with JPHP. As shown in this case, even relatively obscure technologies like JPHP can be used to distribute malware. Threat actors are constantly looking for new methods and may use unexpected paths in addition to known techniques. Therefore, it is very important to carefully review the sources of executable files and scripts.
Gain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click the banner below.
