Skip to main content

New JhoneRAT Malware Targets Middle East



Researchers say that JhoneRAT has various anti-detection techniques — including making use of Google Drive, Google Forms and Twitter.
Researchers are warning of a new remote access trojan (RAT), dubbed JhoneRAT, which is being distributed as part of an active campaign, ongoing since November 2019, that targets victims in the Middle East. Once downloaded, the RAT gathers information on the victims’ computers and is also able to download additional payloads.
Evidence shows that the attackers behind JhoneRAT have taken extra steps to ensure the RAT is being distributed to Arabic-speaking victims. Researchers note that the attackers have also made use of various cloud services, such as Google Drive and Google Forms, as part of the payload’s infection process.
“The campaign shows an actor that developed a homemade RAT that works in multiple layers hosted on cloud providers,” said researchers with Cisco Talos in a Thursday analysis. “JhoneRAT is developed in Python but not based on public source code, as it is often the case for this type of malware. The attackers put great effort to carefully select the targets located in specific countries based on the victim’s keyboard layout.”
The RAT is first spread to victims via malicious Microsoft Office documents. Threatpost has reached out to researchers to clarify whether those documents are spread via email or other methods.
Researchers identified three malicious documents distributing JhoneRAT: the oldest, from November 2019, is called “Urgent.docx.” The second document is from the beginning of January 2019, named “fb.docx,” and contains usernames and passwords from an alleged “Facebook” leak. A final, more recent document is from mid-January and purports to be from a United Arab Emirate organization. The author blurred the content of the document and asks the user to enable editing to see the content.
Once the user either opens the document or enable editing, the malicious documents then downloads an additional Office document from Google Drive with an embedded Macro.
Interestingly, the attackers use multiple cloud services — Google Drive, Twitter, and Google Forms, for instance — to eventually download the payload. While it should be noted that this is not the first time an attacker used cloud provider platforms in this way, researchers say this method helps the bad actor evade detection and defenders.
“It is hard for the targets to identify legitimate and malicious traffic to cloud provider infrastructure,” said researchers. “Moreover, this kind of infrastructure uses HTTPS and the flow is encrypted that makes man-in-the-middle interception more complicated for the defender.”
Once the document is downloaded onto Google Drive, a command is then executed to download an image from a new Google Drive link (with a base64-encoded binary appended at the end). The filename of the image is either cartoon.jpg, img.jpg, or photo.jpg, and the image usually depicts a cartoon (such as the cartoon shown here), said researchers.
“It is interesting to note that the filename of the downloaded image is randomly generated based on a dictionary: Array (“cartoon,” “img,” “photo”),” they noted.
Once decoded, the base64 binary is an AutoIT binary, which drops a new file on Google Drive. This file contains the final payload, JhoneRAT, which starts by launching three threads: One responsible for checking if the system has a targeted keyboard layout (to check that the victim speaks Arabic), the second to create persistence, and the third to start the main cycle of the RAT.
From there, data exfiltration, (such as screenshots of the system) are sent via ImgBB, a free image hosting and sharing service. Commands are also sent by posting data to Google Forms (a survey administration app that is included in the Google Drive office suite); and files continue to be downloaded in Google Drive.
“This RAT uses three different cloud services to perform all its command and control (C2) activities. It checks for new commands in the tweets from the handle @jhone87438316 (suspended by Twitter) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets,” said researchers.
The RAT also uses other techniques to avoid detection, virtual machines, and analysis. The macro contains a virtual machine detection technique based on the serial number of the disks available in the victim environment.
“Additionally the attackers implemented anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the analyst. For example, the VM or the sandbox must have the keyboard layout of the targeted countries and a disk serial number,” said researchers.
Researchers said that the campaign is ongoing.
“At this time, the API key is revoked and the Twitter account is suspended. However, the attacker can easily create new accounts and update the malicious files in order to still work. This campaign shows us that network-based detection is important but must be completed by system behavior analysis,” they said.

Originally published at https://threatpost.com 

Comments

Popular posts from this blog

Ransomware's Dangerous New Trick Is Double-Encrypting Your Data

  Ransomware groups have always taken a more-is-more approach . If a victim pays a ransom and then goes back to business as usual-hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to leak it if they don’t pay up. The latest escalation? Ransomware hackers who encrypt a victim’s data twice at the same time. Double-encryption attacks have happened before, usually stemming from two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other. “The groups are constantly trying to work out which strategies are best , which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not act...

Babuk ransomware is back, uses new version on corporate networks

  After announcing their exit from the ransomware business in favor of data theft extortion, the Babuk gang appears to have slipped back into their old habit of encrypting corporate networks. The criminals are currently using a new version of their file-encrypting malware and have moved the operation to a new leak site that lists a handful of victims. Gang’s still in the game The Babuk ransomware group became known at the beginning of the year but the gang says that their attacks had started in mid-October 2020, targeting companies across the world and demanding ransoms typically between $60,000 and $85,000 in bitcoin cryptocurrency. In some cases, victims were asked hundreds of thousands for data decryption. One of their most publicized victims is the Washinton DC’s Metropolitan Police Department (MPD). This attack likely pushed the threat actor into announcing its retirement from the ransomware business only to adopt another extortion model that did not include encryption....

Microsoft Teams Phishing Attack Targets Office 365 Users

  Up to 50,000 Office 365 users are being targeted by a phishing campaign that purports to notify them of a “missed chat” from Microsoft Teams. Researchers are warning of a phishing campaign that pretends to be an automated message from Microsoft Teams. In reality, the attack aims to steal Office 365 recipients’ login credentials. Teams is Microsoft’s popular collaboration tool, which has particularly risen in popularity among remote workforces during the pandemic  — making it an attractive brand for attackers to impersonate. This particular campaign was sent to between 15,000 to 50,000 Office 365 users, according to researchers with Abnormal Security on Thursday. “Because Microsoft Teams is an instant-messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification,” said researchers in a Thursday analysis . The initial phishing email displays the name ...