Combating a spate of Java malware with machine learning in real-time


In recent weeks, we have seen a surge in emails carrying fresh malicious Java (.jar) malware that use new techniques to evade antivirus protection. But with our research team’s automated expert systems and machine learning models, Windows 10 PCs get real-time protection against these latest threats.

Attackers are constantly changing their methods and tools. We know from many years of research into malware and cybercriminal operations that cybercriminals have go-to programming languages for their malicious activities, but they switch from time to time to slip past security solutions. For instance, we recently tracked how cybercriminals have changed how they use NSIS installers in order to evade AV and deliver ransomware.

To help deliver real-time protection to Windows Defender Antivirus, our researchers use the Microsoft intelligent security graph, a robust automated system that monitors threat intelligence from a wide network of sensors. This system includes machine learning models, which drive proactive and predictive protection against fresh threats.

Tracking malicious email campaigns

Our sensors first picked up signs of the Java spam campaigns at the start of the year. Our automated tools, which can sort and classify massive volumes of malicious emails, showed us actionable intelligence about the surge of Java malware-bearing emails.

These emails use various social engineering techniques to lure recipients to open malicious attachments. Many of the emails are in Portuguese, but we’re also seeing cases in English. They pretend to be notifications for billing, payment, pension, or other financial alerts.

Here are the most popular subject line and attachment file name combinations used in the email campaigns:

Subject Attachment file name
Segue em anexo Oficio Numero: <number> Decisão-Judicial.zip
Serviços de Cobranças Imperio adverte, Boleto N<number> 2Via_Boleto_N<number>.zip
“Cobrança Extrajudicial” Imperio Serviços de Cobranças 2Via_Boleto_N<number>.zip
Payment Advice Payment Advice.rar
Curriculum Vitae <Date> Curriculum_<name><number>.zip
FGTS Inativo - <number> - Disponivel para saque em <number> SALDO_FGTS_MP_<number>.zip
FGTS Inativo - <number> - Disponivel para saque em <number> FGTS_-_MP_<number>.zip
Extrato_FGTS_disponivel_em_sua_conta_inativa_de_N<number> FGTS_Disponivel_N<number>.zip
NEW PURCHASE ORDER (TOP URGENT) BLUERHINETECHNOLOGY_EXPORT_PURCHASE_ORDER.zip
NF-e <number>. Emitente <number> - GLOBECALL DO BRASIL LTDA. <number> NF-e-<number>.zip

Figure 1. Most popular subject line and attachment file name combinations in email campaigns

The attachments are usually .zip or .rar archive files that contain the malicious .jar files. The choice of .jar as attachment file type is an attempt by cybercriminals to stay away from the more recognizable malicious file types: MIME, PDF, text, HTML, or document files.

java-malware-sample-email

Figure 2. Sample malicious email carrying Java malware in a .zip file

Tracking updates in malicious code

In addition to information about the email campaigns, our monitoring tools also showed another interesting trend: throughout the run of the campaigns, an average of 900 unique Java malware files were used in these campaigns every day. At one point, Windows Defender Antivirus encountered 1,200 unique malicious Java files in a single day.

daily-volume-of-unique-java-malware

Figure 3. Volume of unique Java malware used in email campaigns

These Java malware files are variants of old malware with updated code that attempt to evade detection by security products.

The most notable change we saw in these new variants of Java malware is in the way they obfuscate malicious code. For instance, we saw the following obfuscation techniques:

  1. Using a series of append operators and a string decryption function
    sample-obfuscated-java-malware-code
    Figure 4. Sample obfuscated Java malware code
  2. Using overly long variable names, making them effectively unreadable
    sample-obfuscated-java-malware-code-2
    Figure 5. Sample obfuscated Java malware code
  3. Using excessive codes, making code tracing more difficult
    sample-obfuscated-java-malware-code-3
    Figure 6. Sample obfuscated Java malware code

Obfuscated codes can make analysis tedious. We use automated systems that detonate the attachments, effectively bypassing obfuscation. When malware is detonated, we see the malicious intent and gain intelligence that we can use to prevent attacks.

Our tools log malicious behaviors observed during detonation and use these to detect new and unknown attachments. These malicious behaviors include:

java-malware-tracer-logs

Figure 7. Sample Java malware trace logs

From threat intelligence to real-time protection

Through automated analysis, machine learning, and predictive modeling, we're better able to deliver protection against the latest, never-before-seen malware. These expert systems give us visibility and context into attacks as they happen, allowing Windows Defender AV to deliver real-time protection against the full range of threats.

Context-aware detonation systems analyze millions of potential malware samples and gather huge amounts of threat intelligence. This threat intelligence enriches our cloud protection engine, allowing us to block threats in real-time. In addition to the Java malware, we also detect the payloads, which are usually online banking Trojans like Banker and Banload, or Java remote access Trojans (RATs) like Jrat and Qrat.

combating-java-malware-automation-machine-learning

Figure 8. Automated systems feed threat intelligence to cloud engines and machine learning models, which result in real-time protection against threats

Threat intelligence from the detonation system constantly enhances our machine learning models. New malicious file identifiers from the analysis of the latest threats are added to machine learning classifiers, which power predictive protection.

This is how we use automation, machine learning, and the cloud to deliver protection technologies that are smarter and stronger against new and unknown threats. Windows Defender AV automatically protects Windows PCs against more than 97% of Java malware in the wild.

detecting-java-malware

Figure 9. Breakdown of Java malware detection methods

Conclusion: Real-time protection against relentless threats

The email campaigns distributing Java malware account for a small portion of cybercriminal operations that deliver new malware and other threats. Cybercriminals are continuously improving their tools and modus operandi to evade system protections.

Our research team is evolving how we combat cybercrime by augmenting human capacity with a combination of sensors, automated processes, machine learning, and cloud protection technologies. Through these, we are better able to monitor and create solutions against these threats.

These protections are available in the security technologies that are built into Windows 10. And with the  Creators Update, up-to-date computers get the latest security features and proactive mitigation.

Windows Defender Antivirus provides real-time protection against threats like Java malware and their payloads by using automation, machine learning, and heuristics.

In enterprise environments, Office 365 Advanced Threat Protection blocks malicious emails from spam campaigns, such as those that distribute Java malware, using machine learning capabilities and threat intelligence from the automated processes discussed in this blog.

Device Guard locks down devices and provides kernel-level virtualization-based security, allowing only trusted applications to run.

Windows Defender Advanced Threat Protection alerts security operations teams about suspicious activities on devices in their networks.

It is also important to note that Oracle has been enforcing stronger security checks against legitimate applications using Java. For instance, starting with Java 7 Update 51, Java does not allow Java applications that are not signed, are self-signed, or are missing permission attributes. Oracle will also start blocking .jar files signed with MD5, requiring instead signing with SHA1 or stronger.

However, the Java malware discussed in this blog are equivalent to executable files (as opposed to Java applet). Here are some additional tips to defend against Java malware in enterprise environments:

  • Remove JAR in file type associations in the operating system so that .jar files don’t run when double-clicked; .jar files must be manually executed using command line
  • Restrict Java to execute only signed .jar files
  • Manually verify signed .jar files
  • Apply email gateway policy to block .jar as attachments

 

Duc Nguyen, Jeong Mun, Alden Pornasdoro
Microsoft Malware Protection Center

Comments (1)

  1. adwbust says:

    “Remove JAR in file type associations in the operating system so that .jar files don’t run when double-clicked; .jar files must be manually executed using command line”

    Um why doesnt Microsoft do this?

Skip to main content