JSP.BackDoor.8

SHA1: 0c6249feee3fef50fc0a5a06299c3e81681cc838

SHA1: 41d2247842151825aa8001a35ee339a0fef2813f

SHA1: 62ea0fce2716006d16a1408cda159cf20f90004e

SHA1: 33c11e7b2b3950a430cf3b40128429d9b723103c

Description

JSP.BackDoor.8 is a trojan backdoor program capable of infecting Windows and Linux devices and executing shell commands sent from a remote host. The trojan is implemented as a JAR file, and it is controlled by HTTP requests.

Operating routine

During initialization, this sample checks its environment variables, and then receives a GET request containing a “t” parameter with the value “cmd” and a “c” parameter that passes along the command to execute. If the trojan is run on Windows, it executes

cmd /c <value>

otherwise, it executes

/bin/bash -c <value>

When the trojan receives a POST request, it loads additional functionality: the request body contains a base64 encoded plugin that is loaded into the process memory.

This JAR file is also remotely controlled using HTTP requests, but it only supports the following types of requests: GET, POST, HEAD. The trojan checks the “go” parameter containing the IP address for downloading the script. It then checks the operating system. In the case of Windows, it downloads a script called 1.ps1 and executes it with the following parameters

Set-ExecutionPolicy Bypass -Scope Process -Force

If the trojan is running on Linux, it downloads the ELF file kinsing (Linux.BtcMine.546) and executes it by exporting the SKL=op environment variable.

The 1.ps1 script downloads the miner’s components, namely sysupdate.exe (the miner itself), config.json and the update.ps1 script. If the miner had been previously installed in the system, the script stops it and updates it. After downloading the files, the script creates a job for the system scheduler to run the update.ps1 script every minute, suppressing any warnings. To do this, the following command is executed:

SchTasks.exe /Create /SC MINUTE /TN “Update service for Windows Service” /TR “PowerShell.exe -ExecutionPolicy bypass -windowstyle hidden -File $HOME\update.ps1” /MO 30 /F 

This sample contains two jsp servlets: updata2_jsp and chakan_jsp. The former connects to the Openfire server SQL database

jdbc:mysql[:]//localhost:3306/openfire root 123456

and takes data from the query parameters:

name0..30 = ; value0..30= ;

The servlet then updates the “name” variable in the “ofproperty” table according to the “value”.

The sample processes only HTTP requests with the following methods GET, POST, and HEAD. If the request comes without the “action” parameter, then “action” will equal “main”; otherwise, the “action” parameter contains the name of the form to be interacted with. The main menu of the web shell consists of the following forms: main, filesystem, command, database, config, about, exit. They are described below:

The command is passed to the backdoor in the “fsAction” parameter. If this parameter is empty, it is assigned the “list” value.

List of fsAction commands

Runs the command transmitted in the “command” parameter. The result is displayed on the screen.

The command is transmitted in the “dbAction” parameter. If this parameter is empty, it is assigned the value “main”, and the SQL query builder menu is displayed on the screen. When a query is sent, the “dbAction” parameter is assigned the value “dbContent”.

Method “dbConnect”. The arguments of this method are data for connecting to the database, which are taken from the query parameters: dbServer, dbPort, dbUsername, dbPassword, dbName. The query to be executed is taken from the “sql” parameter. After the command is executed, its result is displayed on the screen.

The command is transmitted in the “cfAction” parameter. If this parameter is empty, it is assigned the value “main”.

List of cfAction commands

This command outputs a blank page.

After this command is entered, the password will be removed from the session and the user is redirected to the main authorization page.