Ddos 
AhnLab Security intelligence Center (ASEC) has recently uncovered a malware campaign utilizing the JPHP interpreter to distribute downloader malware.
JPHP is a PHP interpreter that operates on the Java Virtual Machine (JVM). It was designed to enable the use of PHP code within a Java environment. JPHP can convert PHP code into Java bytecode for execution and allows for direct calls to Java libraries. Additionally, it offers performance advantages over traditional PHP due to its use of just-in-time (JIT) compilation. While designed for legitimate purposes, this report demonstrates its potential misuse in malicious activities.
The malware is initially distributed in a ZIP file format, which includes the Java Runtime Environment (JRE) package and a collection of libraries. The included .exe file acts as a runner, executing “javaw.exe” with the files in the “lib\” directory as arguments. This configuration allows the malware to operate without requiring a separate Java environment on the victim’s machine.
The ZIP file contains a .jar package with .phb files, which are used to convert PHP into bytecode. These .phb files have a distinct structure that differs from typical .class files, making them difficult for bytecode viewers to recognize and analyze. This obfuscation technique likely aims to evade detection and hinder analysis efforts.
Analysis of the malware reveals it to be a downloader, designed to download and execute additional malicious payloads.
The malware uses Telegram to establish an additional command-and-control (C2) channel. The threat actors use Telegram’s short URL format (“t.me”) and upload the IP address of the additional C2 to a channel profile. Victims are instructed to access this URL and extract the IP address located between the “i1il” strings, which serves as the additional C2. This method allows threat actors to easily modify the C2 address without directly accessing the infected machine.
The malware possesses the capability to download and execute additional malware. While the file was not downloaded during the analysis, ASEC’s analysis infrastructure suggests that this type of malware may primarily distribute data breach malware, such as Strrat and Danabot.
The report concludes: “Threat actors are constantly looking for new methods and may use unexpected paths in addition to known techniques. Therefore, it is very important to carefully review the sources of executable files and scripts.”
Related Posts:
About The Author
