Malware
JessieConTea
JessieConTea is a remote access trojan that uses HTTP(S) for communication.
JessieConTea is a remote access trojan that uses HTTP(S) for communication. It supports around 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration (both plain and zipped), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 32-bit integers, starting with the value 0x60D49D97.
The malware was delivered in-the-wild via trojanized applications like DeFi Wallet or Citrix Workspace.
JessieConTea generates POST parameters with a specific parameter name, jsessid, from which the initial part of its name is derived. Also, it contains a specific RTTI symbol ".?AVCHttpConn@@", which inspired the second part of the name. It uses RC4 for C&C traffic encryption.
Family metadata imported from Malpedia (Fraunhofer FKIE).