CoffeeShot is an evasion framework that injects payload from Java-based programs into designated processes on Microsoft Windows.
CoffeeShot assists blue team members in assessing the effectiveness of their anti-malware measures against malicious software written in Java. Red team members and pen testers can also use CoffeeShot to bypass the target’s security controls.
CoffeShot utilizes JNA (Java Native Access) to inject payload from Java-based programs into designated processes on Microsoft Windows.
The memory injection methods that CoffeeShot employs are straightforward and are well-known in the context of traditional, compiled executables. The effectiveness of these techniques at evading AV when they’re implemented in Java, highlights the brittle nature even by modern antivirus tools.
Java a Blind Spot of Endpoint Security
Creating malware in Java offers attackers numerous advantages over compiled binary formats such as PE, including ease-of-use, cross-platform compatibility, and anti-malware tool evasion.
Authors of Java malware can armor their creations for survival in the wild in many ways, including obfuscating their code to slow down analysis and complicate detection by traditional AV approaches. As the result, spotting Java-based malware by hash is ineffective on a large scale. Moreover, the relatively low rate of occurrence of Java malware in the wild gives such malicious programs a unique advantage against modern AV techniques. In particular, training a machine learning model to distinguish between legitimate and malicious files typically requires a very large dataset. While there are many PE samples to use for this purpose, finding enough Java samples to ensure reliable classification is often impractical.
These advantages allow Java-based malware to bypass traditional and modern anti-virus products with relative ease. One example of Java malware that has been highly successful in the wild for these reasons is Adwind, which we discussed along with other evasive Java RATs in an earlier post.
CoffeeShot: Injecting Shellcode from Java
Another advantage that attackers gain by writing malware in Java is the powerful capabilities that the JNA interface offers to such programs for directly interacting with Windows APIs. This allows Java programs to abuse Windows capabilities without the intensive scrutiny that antivirus tools apply to PE executables. One example of this functionality, which is an effective evasion tactic, involves injecting malicious code into trusted processes.
CoffeeShot is a proof-of-concept framework that demonstrates memory injection capabilities of Java-based programs as an AV evasion tactic. Written in Java, CoffeeShot uses JNA to call the appropriate Windows APIs to inject shellcode into other processes. This allows Java malware to act as a delivery mechanism for other forms of malicious code, executing arbitrary payload in a manner that bypasses many anti-malware controls.
How Does it Work?
To begin using CoffeeShot, the user needs to modify the source code. The user begins by inserting the shellcode to its designated place in a Java-friendly format:
CoffeeShot’s classic memory injection technique is consistent with the approaches commonly used by PE executables. It begins by using the CreateToolhelp32Snapshot API to locate the process targeted by the user for injection.
CoffeeShot allocates memory in the target process using VirtualAllocEx. Next, it uses WriteProcessMemory to write shellcode into the target process. It then executes the shellcode in the target process by calling CreateRemoteThread.
These are the API calls often used for memory injection from PE executables. CoffeeShot shows how easy it is to implement such techniques directly from Java as a form of evasion. The entire injection routine is executed by java.exe or javaw.exe processes within the blind spot of many antivirus tools.
To experiment with CoffeeShot, insert the desired 32-bit shellcode into the tool’s source code, build the project and export it to a runnable JAR file. Voilà! Now you have a Java runnable program that evades detection by many AV products.
You can now execute the runnable JAR file with the arguments “java -jar XXX.jar [processName]”
The JAR file requires as input the name of the process targeted for injection.
To demonstrate CoffeeShot in action, we created a short video. It demonstrates how threat actors can bypass many security tools, such as AV and application whitelisting, to evade detection by performing memory injection from Java. Using Kali Linux and Metasploit, we armed CoffeeShot with a Meterpreter reverse TCP shell and created a C2 server without any interference from the local antivirus tool.
CoffeeShot is provided in Minerva’s research team’s GitHub account.
If you’re attending Black Hat USA 2018, see our live demo session on Thursday, August 9, 11:30am-12:50pm at Business Hall (Oceanside), Arsenal Station 9. You’ll learn more about CoffeeShot, meet its author and grab a cool sticker before anyone else.