Inside the JDownloader Supply-Chain Attack: An r77 Rootkit Bot That Kills Your Antivirus

MITRE Techniques

• [T1195.002 ] Supply Chain Compromise: Compromise Software Supply Chain – Attackers altered the official JDownloader download path to distribute trojanized installers. [‘compromised the official JDownloader website and swapped download links to serve trojanized installers’]
• [T1027 ] Obfuscated Files or Information – The malware used PyArmor, XOR-encrypted resources, RC4-encrypted registry values, and obfuscated bytecode to hinder analysis. [‘protected by PyArmor v9’, ‘XOR-obfuscated’, ‘RC4-encrypted and hex-encoded’]
• [T1562.001 ] Impair Defenses: Disable or Modify Tools – The WDAC policy blocked security products and Windows security services from launching after reboot. [‘blocks 50 AV/EDR executables from running after reboot’]
• [T1055.001 ] Process Injection: Dynamic-link Library Injection – The r77 stager injected DLLs into winlogon.exe to hide processes, files, and registry keys. [‘injects the r77 hooking DLLs … into winlogon.exe’]
• [T1102.001 ] Web Service: Dead Drop Resolver – The bot fetched encrypted C2 addresses from Telegraph and Rentry pages. [‘The bot fetches the page, extracts and decrypts the content’]
• [T1480.001 ] Execution Guardrails: Environmental Keying – Stage 2 delayed execution to outlast sandboxes before showing malicious behavior. [‘three times in sequence’, ‘designed to outlast automated sandboxes’]
• [T1014 ] Rootkit – The r77-based component hid artifacts using $77-prefixed hooks and invisibility behavior. [‘Once r77 is active, the $77 prefix acts as an invisibility cloak’]
• [T1543.003 ] Create or Modify System Process: Windows Service – The stager installed a service to survive reboots. [‘installs a Windows service ($77svc) to ensure the rootkit survives reboots’]
• [T1112 ] Modify Registry – The dropper stored bot config and rootkit persistence data in registry locations. [‘writes the bot’s initial configuration to HKCUSOFTWAREPython’, ‘stores the stager assembly as a binary blob in HKLMSOFTWARE$77stager’]
• [T1573.002 ] Encrypted Channel: Asymmetric Cryptography – The bot used RSA-OAEP to wrap the AES key during C2 handshake. [‘wraps a fresh AES-256 key with the hardcoded RSA-2048 public key (OAEP, SHA-256)’]
• [T1090.003 ] Proxy: Multi-hop Proxy – The dead-drop resolver mechanism acted as an intermediary layer between infected hosts and C2 addresses. [‘an intermediary, a legitimate web page where the operator publishes encrypted C2 addresses’]
• [T1001 ] Data Obfuscation – Campaign IDs, resolver URLs, and registry content were concealed using encrypted and hex-encoded storage. [‘making the registry entries look like random hex strings’]
• [T1068 ] Exploitation for Privilege Escalation – The Linux chain installed a SUID-root helper to gain root execution. [‘calls setuid(0), setgid(0), and execvp()’]
• [T1053.004 ] Scheduled Task/Job: Launchd – Not mentioned explicitly as a technique; omitted from strict list.