Researchers from Symantec published details about a new Java-based malware loader dubbed Verblecon that has been observed in recent campaigns from January to March this year, delivering unsophisticated malware payloads with simple goals including cryptocurrency mining and stealing Discord authentication tokens. Despite the relatively low threat level of the payloads for enterprise environments, the loader itself is sophisticated and evades detection by anti-virus products by re-packing the malware with every download, generating unique file hashes for each sample that will not match static malware file hash lists.
Verblecon is delivered as a Java Archive (JAR) file, which requires the Java Runtime to be installed on computers if it is to run at all. It only targets Windows systems; Linux, macOS and computers without Java installed would not be affected by this malware. Although the .jar file name and file hash are randomized each time, there are several behavioral indicators noted by the researchers that could be used to effectively detect this malware if it runs on a system.
The JAR file usually runs from users’ AppData Local Temp folder, performs anti-analysis checks to make sure it is not running in a Virtual Machine, and runs “tasklist.exe /fo csv /nh” to check if any sandbox or analysis programs are running. There’s a long list of files that it checks to determine if they exist, and if so, the malware will exit without delivering its payload. The malware will save itself on the system using a filename computed using the infection ID value, which is an MD5 hash in hexadecimal format, and may save itself in the %ProgramData% folder, the %ALL_USERS_HOME% folder, or the %LOCALAPPDATA% folder.
The malware periodically attempts network connections to hxxps://gaymers[.]ax or a generated domain name which is also an md5 hash in hexadecimal format, ending in .tk
Although this loader has been observed only delivering low-level threat payloads so far, it is reasonable to assume that if it has a high success rate, it will likely be used to deliver more destructive payloads in the future. Several aspects of this loader lend themselves well to behavioral detections, and even active preventative countermeasures such as intentionally placing files on endpoints that the malware looks for, to fool it into thinking it is running on a sandbox. Threat hunting for jar files with names that could be MD5 hashes, or DNS lookups of domain names that could be MD5 hashes can also be effective for finding this malware.