Full Report
A new malware campaign targeting Windows and Linux systems has been identified, deploying tools for evasion and credential theft
Analysis Summary
# Tool/Technique: Multi-Platform Malware Campaign (Windows & Linux)
## Overview
A sophisticated malware campaign discovered by the Sysdig Threat Research Team (TRT) targets both Windows and Linux systems. The initial infection vector utilized a malicious Python script deployed via a misconfigured system, leading to the download of crypto-miners and the deployment of stealthy tools for evasion and data exfiltration. The campaign exhibits platform-specific adaptation.
## Technical Details
- Type: Malware Campaign (Involving various payloads and loaders)
- Platform: Windows, Linux
- Capabilities: Cross-platform execution, crypto-mining, credential theft, evasion techniques, data exfiltration.
- First Seen: Mentioned in an article dated 2 Jun 2025 (Note: The date reference is based on the provided context source date).
## MITRE ATT&CK Mapping
The available information points to several general tactics and techniques related to initial compromise, execution, and credential access:
- **TA0001 - Initial Access**
- **T1190 - Exploit Public-Facing Application** (Implied by initial deployment via a misconfigured system)
- **TA0002 - Execution**
- **T1059.006 - Command and Scripting Interpreter: Python** (Initial malicious script)
- **TA0005 - Defense Evasion**
- **T1027 - Obfuscated Files or Information** (Implied by renaming files like INT_D.DAT and INT_J.DAT)
- **TA0006 - Credential Access**
- **T1555 - Credentials from Built-in Operating System Credential Stores** (Mentioned payload includes infostealers focused on credential access)
## Functionality
### Core Capabilities
- **Initial Deployment:** Initiation via a malicious Python script.
- **Multi-stage Payload Delivery:** Download and deployment of crypto-miners and other secondary malicious components.
- **Platform Specificity:** Tailored attack paths for Windows and Linux environments.
### Advanced Features
- **Windows Execution Chain:** Uses a Python function to install the Java Development Kit (JDK), followed by the execution of a Java Archive (JAR) file (`application-ref.jar`) retrieved from C2.
- **Java Evasion:** The JAR loader utilizes the `ProcessBuilder` command with suspicious flags (`-noverify`, `-XX:+DisableAttachMechanism`) to actively thwart detection and disable Java debugging features.
- **Payload Staging:** Deploys two specific files (`INT_D.DAT` and `INT_J.DAT`) from the JAR's resources onto the victim machine.
- **Infostealing:** Embeds multiple infostealers within the final JAR payload, indicating a focus on credential harvesting.
## Indicators of Compromise
(Note: Specific hashes, IPs, or registry keys were not detailed in the provided text snippet.)
- File Hashes: [Unknown]
- File Names: `application-ref.jar`, `INT_D.DAT`, `INT_J.DAT`
- Registry Keys: [Unknown]
- Network Indicators: C2 server previously active (Details not provided, needs defanging if found).
- Behavioral Indicators: Use of `ProcessBuilder` with flags `-noverify` and `-XX:+DisableAttachMechanism` in Java processes.
## Associated Threat Actors
- [Information not explicitly stated in the provided excerpt, but attributed to a newly uncovered campaign studied by the Sysdig Threat Research Team (TRT).]
## Detection Methods
- **Signature-based detection:** Signatures for the specific JARs or renamed DAT files following deployment.
- **Behavioral detection:** Monitoring for suspicious Java process execution, specifically the use of the `-noverify` and `-XX:+DisableAttachMechanism` flags via `ProcessBuilder`.
- **YARA rules if available:** [Unknown]
## Mitigation Strategies
- **Prevention measures:** Restricting execution of downloaded Python scripts (especially from unexpected sources or misconfigured systems). Implementing robust application whitelisting, particularly concerning Java execution.
- **Hardening recommendations:** Strict Java security policies; disabling or monitoring the installation of JDK if unnecessary. Ensuring proper configuration management to prevent system misconfigurations that allow arbitrary script execution.
## Related Tools/Techniques
- Crypto-miners (Payload)
- Infostealers (Payload)
- Loading mechanisms relying on Java Runtime Environment (JRE/JDK) manipulation.