A Great Britain researcher has discovered a combination of a 419 scam and a Java Adwind / Java Jrats trojan malware delivery. Java Adwind delivered by fake financial emails or by fake parcel delivery notices is a common 419 tactic, yet this may be a new approach deploying a traditional scam with the Java Adwind malware.[1]
Java Adwind[2] is a very dangerous remote access backdoor trojan that has cross OS capabilities and can potentially run and infect any computer or operating system including Windows, Apple Mac, Android and Linux. It can only be active or infect a user if Sun / Oracle Java is installed. Many security professionals suggest uninstalling Java and not using it. Most domestic users and small businesses have no real need for Java on their computers. If Java is needed for operation, networks should automatically block access to java.jar files with proper protection.
We are currently unsure if this current 419 scam is intended to be a new malware delivery method or whether the sending server is infected and unknowingly adding the malware to all scam emails. This may be true based on many past collection and analysis efforts by Wapack Labs where Nigerian 419 scammer actually keylogged themselves and thus expose all their fraudulent activities.
Of note is that these 419 members use the victim’s domain or email address as the sender. This is not a common tactic with 419 scams but is relatively common with compromised servers who use random email templates or copies of sent emails already on the server, then insert the domain from the recipient’s email address as the alleged sender. This use of email addresses and subjects will entice a user to read the email and open the attachment. A very high proportion are being targeted at small and medium size businesses, with the hope of getting a better response than they do from individuals. Remember many email clients, especially on a mobile phone or a tablet, only show the Name in the From line and not the domain name <domain.com>. That is why these scams and phishes often work.
Figure 1. 419 Scam email
In this example, Atotech.com is an innocent victim as is the recipient of the email.
The malware: CDE.AWB 987660009876654.pdf.jar.jar (517.5 kb) was referenced through: Virus Total, Hybrid Analysis, and Anyrun App and all identify the malware as Java Adwind or Java Trojan. The malicious attachment has a password stealing component, with the aim of stealing your personal financial data along with your email or FTP (web space) log in credentials. Many 419 scams are also designed to specifically steal your Facebook and other social network log in details.
IP | Hostname | City | Region | Country | Organization |
209.222.111.168 | hosted-by.reliablesite.net | Guntur | Andhra Pradesh | IN | AS20473 Choopa, LLC |
Indicators:
- AWB 987660009876654.pdf.jar.jar
- MD5: af821ab9a1c8c320b098e4e6fb594c6e
- SHA-1: 670c0003851838055b99a78c6115ffc507997605
- Sending IP 209.222.111.168
Mitigations
Always be very careful with email attachments. All of these emails use social engineering tricks to persuade you to open the attachments in emails. Never open any attachment to an email, unless you are expecting it.
Never blindly click on files in your email program. Always save files to a downloads folder versus directly in your computer. Many malicious files that are attached to emails will have a faked extension. That is the 3 letters at the end of the file name. Unfortunately, Windows by default hides the file extensions. You need to set your folder options to “show known file types.”[3] If you see .JS or .EXE or .COM or .PIF or .SCR or .HTA at the end of the file name DO NOT click on it or try to open it, it may infect you. While the malicious program is inside the zip file, it cannot harm you or run automatically. When it is just sitting unzipped in your downloads folder, it will not infect you, provided you do not click on it. Delete the zip file and any extracted file and everything will be fine. You can always run a scan with your antivirus to be sure. There are some zip files which can be configured by bad actors to automatically run the malware file when you “double” click the zip to extract the file. If you right click any suspicious zip file received, and select extract here or extract to a folder (after saving the zip to a folder on the computer) that risk is eliminated. Never attempt to open a zip directly from your email, that is a guaranteed way to get infected.
For questions or comments regarding this report, please contact Wapack Labs at 603-606-1246, or feedback@wapacklabs.com
[1] https://myonlinesecurity.co.uk/419-scam-with-a-java-adwind-payload/
[2] https://securelist.com/adwind-faq/73660/
[3] https://www.howtohaven.com/system/show-file-extensions-in-windows-explorer.shtml
Comments