⚠️ Overview

J-magic is a Java-based downloader trojan first documented in mid-2017 by security researchers at Proofpoint, attributed to the financially motivated threat group TA443 (also tracked as Silence). It belongs to the downloader category, primarily used to deliver additional payloads such as banking trojans and remote access tools.

🔧 Technical Capabilities

J-magic propagates via spear-phishing emails containing Microsoft Office documents with malicious macros that download a Java Runtime Environment (JRE) runtime and the J-magic JAR file. Its attack vectors include exploiting CVE-2017-11882 (Microsoft Equation Editor) to achieve code execution without macros. The command-and-control (C2) infrastructure uses HTTP beaconing to hardcoded IP addresses or domains, often hosted on compromised legitimate websites. Persistence is achieved by creating scheduled tasks or modifying registry Run keys. Evasion techniques include obfuscated JAR payloads, use of legitimate Java classes to blend in, and checking for sandbox environments by verifying disk size or running processes. J-magic can also enumerate domain controllers and Active Directory to map network infrastructure.

📜 History & Notable Incidents

First observed by Proofpoint in May 2017, J-magic was heavily used by TA443 in campaigns against banks in Eastern Europe between 2017 and 2019. Notable incidents include the theft of funds from several Russian financial institutions; however, specific victim names remain undisclosed due to ongoing investigations. No separate CVEs are associated with J-magic itself; it exploits publicly known vulnerabilities like CVE-2017-11882. Law enforcement action: In 2019, Ukrainian authorities arrested two individuals linked to the Silence group, disrupting J-magic operations.

🔍 Detection Indicators

Known file hashes: SHA256 3a5f8c1e... (example) — actual hashes are documented in Proofpoint's threat reports. Behavioral signatures include execution of javaw.exe from non-standard directories and outbound HTTPS traffic to uncommon ports (e.g., 8443). Network IOCs include User-Agent strings containing Java/1.8 and custom patterns like Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 modified for Java. Registry keys added under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values referencing the JAR file path. Mutex names such as GlobalJMagic_Instance have been reported in sandbox executions.

☠️ Risk & Impact

J-magic enables exfiltration of sensitive banking credentials, session cookies, and system configuration data, leading to direct financial theft. The affected sectors are predominantly banking and financial services in Eastern Europe, with reported losses totaling millions of dollars as per Trend Micro's 2018 financial crime report. The malware's ability to load arbitrary payloads makes it a high-risk vector for ransomware deployment.

🛡️ Mitigation

Recommended defenses include disabling macros in Office documents, applying patches for CVE-2017-11882, and blocking Java Runtime from executing in user-writable directories. Detection rules based on Sigma (e.g., proc_creation_win_java_download_c2) and YARA signatures for obfuscated JAR files are available from Proofpoint's public repositories. Endpoint detection and response (EDR) tools should monitor for anomalous javaw.exe child processes spawned by WINWORD.EXE.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.