Bloody Wolf vs Kazakhstan (Part II - Under the Hood)

TL;DR

Despite the rarity of Java malware, JAR-based attacks pose a particularly high risk to Kazakhstan's infrastructure. Historically, users must install NCALayer for digital signatures — software that requires Java Virtual Machine (JVM) to run.

What is Java?

Java is a cross-platform programming language and runtime (JRE) that can run bytecode on different OS via a virtual machine (JVM). In other words, developers don't need to rewrite the application each time it runs on a new OS or browser. That's why Java is extremely popular among web and software developers for various devices.

What does malware need?

To run Java malware correctly, an installed JRE is required, which is still common in corporate infrastructure. Attackers also often embed their own JRE directly into .exe files to guarantee malicious code execution regardless of environment configuration.

In the Kazakhstan context, widespread NCALayer use increases vulnerability since JRE is installed on most workstations. For example, in a 2023 incident attackers sent phishing emails asking to install an NCALayer "update", which led to malicious script download and RAT installation (Venom RAT v6.0.1). This highlights how NCALayer popularity is used to mask attacks like STRRAT used by Bloody Wolf.

Prevalence of Java-related attacks

According to our Threat Intelligence service data, we can draw the following conclusions:

In the reports for 2024–2025, four campaigns using malicious JAR files are observed. It is worth noting that despite JAR files appearing in several studies, the overall volume of attacks using JAR as the primary infection vector remains small.

Next we will look at evasion of security controls and our experience detecting such activity.

Testing malicious STRRAT JAR file (NCALayer240RU.jar) showed that EDR systems such as Elastic and Microsoft Defender did not record events during the activity period (May–June), despite clear signs of malicious behavior: network connections, persistence attempts, and autorun manipulation. This is due to non-standard methods typical of JAR-based attacks:

• Code obfuscation: STRRAT uses obfuscation tools encrypting string constants and method names, hindering EDR signature analysis.
• Delayed execution: Example from NCALayer240RU.jar uses ScheduledExecutorService to schedule execution in 3 minutes, bypassing sandboxes with time limits.
• Dynamic class loading: STRRAT and similar samples use ClassLoader.defineClass() to decrypt and execute binary blob in memory, avoiding disk writes and hindering analysis.
• Anti-analysis: Malware checks processes (ProcessHandle.allProcesses()) for EDR/AV (e.g., defender, avast) and sandboxes (hostnames user, test, lab), stopping execution when detected.
• EDR blind spots: EDR focuses on native Windows API (ntdll.dll, kernel32.dll), while actions inside JVM (java.exe, javaw.exe) remain hidden due to bytecode interpretation and JIT compilation.
• Second-stage loading: Temporary JAR (e.g., C:\Users\user\AppData\Local\Temp\tmp35290.jar) is saved in %TEMP% and launched via javaw.exe with Runtime.getRuntime().exec().
• Legitimate behavior mimicry: GUI shows fake "no debt" message, legitimate tax authority site opens to mask as NCALayer.
• C2 communication: JAR loader connects to pastebin.com for next-stage URL, bypassing static blocks.
• Autorun without registry: Malware copies to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\NCALayerServer.jar, avoiding registry.
• Shell-less execution: Using ProcessBuilder("java", "-jar", <path>) bypasses cmd.exe or powershell, reducing behavioral rule detection.

According to a 2022 study using VirusTotal with 86 AV solutions, the overall average detection rate for JAR malware was only 34.95%.

2.1 Insufficient SIEM rules in Elastic Security

Another drawback is the number of prebuilt detection rules related to Java: Elastic Security only has three such rules out of the box. This creates blind spots in protection against attacks using non-standard and rarely seen executable formats.

As a solution we propose a simple but effective rule per OS for detecting any JAR file execution:

process where host.os.type == "windows" and event.type == "start" and
process.name == "javaw.exe" and
process.executable: "*\\bin\\javaw.exe" and
process.args: "-jar"

process where host.os.type == "linux" and event.type == "start" and
process.name == "java" and
process.args: ("*-jar*", "*.jar") and
process.executable: ("/usr/bin/java", "/usr/lib/jvm/*/bin/java")

process where host.os.type == "macos" and event.type == "start" and process.name == "java" and
process.executable: (
"/usr/bin/java",
"/Library/Java/*/bin/java",
"/Users/*/.sdkman/candidates/java/*/bin/java",
"*/bin/java")
and (process.args: ("-jar*", "-J-jar*")
or process.args: ("*.jar", "*/*.jar")
or process.command_line: ("*-jar*", "*.jar"))

We also recommend using Sigma rules that detect suspicious behavior related to Java child process execution.

Goal: Verify SOC team can detect Java process launch, autorun, C2-like traffic, and anomalies mimicking STRRAT using legitimate helloworld.jar in Kazakhstan context (similar to NCALayer).

Assumption: You have helloworld.jar from https://github.com/jarirajari/helloworld/blob/master/helloworld.jar. Before testing ensure Java Runtime Environment (JRE) is installed:

java -version

4.1. Java process launch verification

• Task: Ensure you detect helloworld.jar launch from non-standard directory, like STRRAT.
• Actions: Download helloworld.jar (if not already):

wget https://github.com/jarirajari/helloworld/raw/master/helloworld.jar

Place helloworld.jar in AppData\Roaming and run:

Copy-Item helloworld.jar $env:APPDATA\helloworld.jar

Start-Process -FilePath "java" -ArgumentList "-jar $env:APPDATA\helloworld.jar" -NoNewWindow

• Expected result: Java launch from AppData\Roaming and alert generated.

4.2. Autorun verification

• Task: Verify you detect scheduled task creation mimicking STRRAT persistence.
• Actions: Create scheduled task with disguise and hidden schedule:

schtasks /create /tn "NCALayerUpdate" /tr "cmd.exe /c java -jar %APPDATA%\helloworld.jar" /sc daily /st 02:00 /f

• Delete the task:

schtasks /delete /tn "NCALayerUpdate" /f

Expected result: alert on scheduled task creation.

4.3. Pastebin file download verification

• Task: Ensure you detect HTTPS request for Pastebin file download, as with STRRAT.
• Actions: Execute file download request:

Invoke-WebRequest -Uri "https://pastebin.com/raw/dFKy3ZDm" -OutFile "$env:APPDATA\testfile.txt"

• Expected result: HTTPS request to Pastebin and file creation logged, alert generated.

JAR-based attacks pose a serious threat, especially in Kazakhstan. Attackers effectively bypass traditional EDR systems using social engineering, dynamic RAT loading, delayed execution, and persistence mechanisms.

A qualified outsourced SOC plays a key role in security, providing 24/7 monitoring, rapid incident response, and timely detection rule updates based on current IOC and TTP. Users are advised to download software only from official sources (e.g., pki.gov.kz) and use antivirus solutions with behavioral analysis.

1. https://bi.zone/expertise/blog/bloody-wolf-primenyaet-kommercheskoe-vpo-strrat-protiv-organizatsiy-v-kazakhstane/
2. https://media.kaspersky.com/pdf/Report_Java_under_attack_2012-2013.pdf
3. https://cyble.com/blog/strrats-latest-version-incorporates-dual-obfuscation-layers/
4. https://snailsploit.com/evading-endpoint-detection-and-response-edr-f18cf2da38ed
5. https://www.nature.com/articles/s41598-022-05921-5
6. https://detection.fyi/sigmahq/sigma/windows/process_creation/proc_creation_win_java_susp_child_process/
7. https://en.wikibooks.org/wiki/Java_Programming/Reflection/Dynamic_Class_Loading
8. https://www.elastic.co/docs/solutions/security/detect-and-alert/create-detection-rule
9. https://egov.kz/cms/sites/default/files/kaz_instr_ncalayer_4.pdf
10. https://bluescreen.kz/tiekhnichieskii-razbor-intsidienta-s-falshivym-obnovlieniiem-ncalayer/