Contrary to initial reports, JACKSBOT may not be as low risk as initially thought. We noted some JACKSBOT infection in the wild, indicating that the people behind this multiplatform malware are saving their best tricks for last.
We analyzed the JACKSBOT backdoor family (specific detection name JAVA_JACKSBOT.A) that arrives as a Java application. Because it is a Java application, it can run on any platform that supports the Java Runtime Environment. When it was first reported, it was considered low risk and no actual infection was recorded. However, days after the report was released, Trend Micro successfully cleaned two infection counts; one in Australia and one in Malaysia. This indicates that the malware is now being distributed in the wild.
There is a possibility that this malware presents itself as a Minecraft modification to unsuspecting users as it contains the special command “MC” for stealing Minecraft passwords from the compromised system.
Using a decompiler, I was able to see how this malware performs its dirty work. As seen in the screenshot below, the malware checks the OS currently running on the system.
Read the rest of this entry »