JSP.BackDoor.8 is a trojan backdoor program capable of infecting Windows and Linux devices and executing shell commands sent from a remote host. The trojan is implemented as a JAR file, and it is controlled by HTTP requests.
During initialization, this sample checks its environment variables, and then receives a GET request containing a “t” parameter with the value “cmd” and a “c” parameter that passes along the command to execute. If the trojan is run on Windows, it executes
cmd /c <value>
otherwise, it executes
/bin/bash -c <value>
When the trojan receives a POST request, it loads additional functionality: the request body contains a base64 encoded plugin that is loaded into the process memory.sha1:0c6249feee3fef50fc0a5a06299c3e81681cc838
This JAR file is also remotely controlled using HTTP requests, but it only supports the following types of requests: GET, POST, HEAD. The trojan checks the “go” parameter containing the IP address for downloading the script. It then checks the operating system. In the case of Windows, it downloads a script called 1.ps1 and executes it with the following parameters
Set-ExecutionPolicy Bypass -Scope Process -Force
If the trojan is running on Linux, it downloads the ELF file kinsing (Linux.BtcMine.546) and executes it by exporting the SKL=op environment variable.
The 1.ps1 script downloads the miner’s components, namely sysupdate.exe (the miner itself), config.json and the update.ps1 script. If the miner had been previously installed in the system, the script stops it and updates it. After downloading the files, the script creates a job for the system scheduler to run the update.ps1 script every minute, suppressing any warnings. To do this, the following command is executed:
SchTasks.exe /Create /SC MINUTE /TN “Update service for Windows Service” /TR “PowerShell.exe -ExecutionPolicy bypass -windowstyle hidden -File $HOME\update.ps1” /MO 30 /F
This sample contains two jsp servlets: updata2_jsp and chakan_jsp. The former connects to the Openfire server SQL database
jdbc:mysql[:]//localhost:3306/openfire root 123456
and takes data from the query parameters:
name0..30 = ; value0..30= ;
The servlet then updates the “name” variable in the “ofproperty” table according to the “value”.
|Executes a command via cmd.exe or /bin/bash, depending on the OS
|Creates a page for copying a file
|Deletes a file. The file name is based on path + / + file
|Displays the contents of a file on the screen. The file name is based on path + / + file
|Creates a page for editing a file
|Creates a file/directory.
Contains three query parameters:
fileName — object name
btnNewFile — if this field is not empty, a file will be created
btnNewDir — if this field is not empty, a directory will be created
|Saves the data from the “content” parameter to a file. The file name is based on path + / + file
|Gets the name of the file to copy from the “file2” parameter.
If the name received is a directory, the new file name will be formed as follows: <dir>/"cqq_"; + <original file name>
The file is copied from “path + file” to “file2”
The sample processes only HTTP requests with the following methods GET, POST, and HEAD. If the request comes without the “action” parameter, then “action” will equal “main”; otherwise, the “action” parameter contains the name of the form to be interacted with. The main menu of the web shell consists of the following forms: main, filesystem, command, database, config, about, exit. They are described below:Filesystem
The command is passed to the backdoor in the “fsAction” parameter. If this parameter is empty, it is assigned the “list” value.
List of fsAction commands
|Outputs a list of files in the parent directory
|Moves a file from the source directory to the target directory. The value of the source directory is taken from the “deleteFile” parameter; the value of the destination directory is taken from the “dstPath” parameter
|Creates a file; the file name is taken from the “filename” parameter
|Creates a folder; the file name is taken from the “folderName” parameter
|Deletes a file; the file name is taken from the “filesDelete” parameter
|Outputs a list of files in the directory whose name is passed as an argument
|Outputs the contents of the file
|Renames a file; the old file name is taken from the “fileRename” parameter; the new name is taken from the “newName” parameter
|Saves an open file; the file content comes in the “fileContent” parameter
|Saves the file; the file content comes in the “fileContent” parameter
|Updates the file; the file comes in the body of the request
Runs the command transmitted in the “command” parameter. The result is displayed on the screen.Database
The command is transmitted in the “dbAction” parameter. If this parameter is empty, it is assigned the value “main”, and the SQL query builder menu is displayed on the screen. When a query is sent, the “dbAction” parameter is assigned the value “dbContent”.
Method “dbConnect”. The arguments of this method are data for connecting to the database, which are taken from the query parameters: dbServer, dbPort, dbUsername, dbPassword, dbName. The query to be executed is taken from the “sql” parameter. After the command is executed, its result is displayed on the screen.Config
The command is transmitted in the “cfAction” parameter. If this parameter is empty, it is assigned the value “main”.
List of cfAction commands
|Displays: password, encodeType, sessionTime, fileTypes
|Stores password, encode, sessionTime, and textFileTypes. The values are taken from the corresponding parameters
This command outputs a blank page.Exit
After this command is entered, the password will be removed from the session and the user is redirected to the main authorization page.