Skip to main content

New JhoneRAT Malware Targets Middle East



Researchers say that JhoneRAT has various anti-detection techniques — including making use of Google Drive, Google Forms and Twitter.
Researchers are warning of a new remote access trojan (RAT), dubbed JhoneRAT, which is being distributed as part of an active campaign, ongoing since November 2019, that targets victims in the Middle East. Once downloaded, the RAT gathers information on the victims’ computers and is also able to download additional payloads.
Evidence shows that the attackers behind JhoneRAT have taken extra steps to ensure the RAT is being distributed to Arabic-speaking victims. Researchers note that the attackers have also made use of various cloud services, such as Google Drive and Google Forms, as part of the payload’s infection process.
“The campaign shows an actor that developed a homemade RAT that works in multiple layers hosted on cloud providers,” said researchers with Cisco Talos in a Thursday analysis. “JhoneRAT is developed in Python but not based on public source code, as it is often the case for this type of malware. The attackers put great effort to carefully select the targets located in specific countries based on the victim’s keyboard layout.”
The RAT is first spread to victims via malicious Microsoft Office documents. Threatpost has reached out to researchers to clarify whether those documents are spread via email or other methods.
Researchers identified three malicious documents distributing JhoneRAT: the oldest, from November 2019, is called “Urgent.docx.” The second document is from the beginning of January 2019, named “fb.docx,” and contains usernames and passwords from an alleged “Facebook” leak. A final, more recent document is from mid-January and purports to be from a United Arab Emirate organization. The author blurred the content of the document and asks the user to enable editing to see the content.
Once the user either opens the document or enable editing, the malicious documents then downloads an additional Office document from Google Drive with an embedded Macro.
Interestingly, the attackers use multiple cloud services — Google Drive, Twitter, and Google Forms, for instance — to eventually download the payload. While it should be noted that this is not the first time an attacker used cloud provider platforms in this way, researchers say this method helps the bad actor evade detection and defenders.
“It is hard for the targets to identify legitimate and malicious traffic to cloud provider infrastructure,” said researchers. “Moreover, this kind of infrastructure uses HTTPS and the flow is encrypted that makes man-in-the-middle interception more complicated for the defender.”
Once the document is downloaded onto Google Drive, a command is then executed to download an image from a new Google Drive link (with a base64-encoded binary appended at the end). The filename of the image is either cartoon.jpg, img.jpg, or photo.jpg, and the image usually depicts a cartoon (such as the cartoon shown here), said researchers.
“It is interesting to note that the filename of the downloaded image is randomly generated based on a dictionary: Array (“cartoon,” “img,” “photo”),” they noted.
Once decoded, the base64 binary is an AutoIT binary, which drops a new file on Google Drive. This file contains the final payload, JhoneRAT, which starts by launching three threads: One responsible for checking if the system has a targeted keyboard layout (to check that the victim speaks Arabic), the second to create persistence, and the third to start the main cycle of the RAT.
From there, data exfiltration, (such as screenshots of the system) are sent via ImgBB, a free image hosting and sharing service. Commands are also sent by posting data to Google Forms (a survey administration app that is included in the Google Drive office suite); and files continue to be downloaded in Google Drive.
“This RAT uses three different cloud services to perform all its command and control (C2) activities. It checks for new commands in the tweets from the handle @jhone87438316 (suspended by Twitter) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets,” said researchers.
The RAT also uses other techniques to avoid detection, virtual machines, and analysis. The macro contains a virtual machine detection technique based on the serial number of the disks available in the victim environment.
“Additionally the attackers implemented anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the analyst. For example, the VM or the sandbox must have the keyboard layout of the targeted countries and a disk serial number,” said researchers.
Researchers said that the campaign is ongoing.
“At this time, the API key is revoked and the Twitter account is suspended. However, the attacker can easily create new accounts and update the malicious files in order to still work. This campaign shows us that network-based detection is important but must be completed by system behavior analysis,” they said.

Originally published at https://threatpost.com 

Comments

Post a Comment

Popular posts from this blog

Lebanese Protesters Are Using This ‘Bridgefy’ Messaging App - What is it?

Bridgefy is an offline messaging app that lets you communicate with friends and family when you don't have access to the Internet, by simply turning on your Bluetooth antenna. Due to WhatsApp outage and the poor internet services, a new offline messaging app known as Bridgefy has started to gain traction among Lebanese protesters. The people are recommending using this app in case there is a shutdown of internet services. Did you know that: 1 billion people aren’t covered by 3G or 4G networks. 3.3 billion people live in areas where the mobile Internet can be accessed but remain without a mobile Internet subscription. 1 billion people own a smartphone but don’t own a data plan. 40% of the world population is forecast to remain unconnected by 2025. These numbers represent huge amounts of potential users that aren’t being reached by mobile apps. Bridgefy keeps your app working even when people do not have access to the Internet. T...
Post a Comment
Read more

WhatsApp Users Exchanged Over 100 Billion Messages on New Year’s Eve, A New Record

WhatsApp is one of the most widely used communication apps on the planet and as such, clocks an insane number of messages and media exchanges on a daily basis. But the New Year's Eve broke a record that has been standing since WhatsApp's debut a decade ago. WhatsApp has revealed that users exchanged over 100 billion messages on New Year's eve. And out of that number, more than 20 billion messages were shared by Indian users alone. Moreover, around 12 billion out of the 100 billion+ messages shared on the platform were images. WhatsApp wrote in a press release that over 100 billion messages were shared globally on December 31 in the 24-hour duration leading up to the midnight of New Year's Eve. This is a record-breaking volume and is the highest number of messages exchanged in a single day ever since WhatsApp kicked off its services ten years ago. Out of those 100 billion+ messages shared on New Year's eve, WhatsApp says over 12 billion were images. Meanwhile...
Post a Comment
Read more

Facebook updates iOS app to fix issues that let the camera open in the background

The issues were first reported this month This month, some users of Facebook’s iOS app  found that  that, in at least two situations, the app appeared to be activating the camera in the background without a user’s knowledge. Facebook said yesterday that it was submitting fixes for the issues to Apple, and the company tells us that, as of this morning, the updated app is now available for download on the App Store. I’ve downloaded the update to my iPhone 11 Pro, and I can’t get the camera to accidentally activate in either of the scenarios that were reported — but I also couldn’t get it to activate yesterday, so I can’t personally confirm that the issues are fixed. But if we take Facebook at its word that everything is resolved, it’s nice to see that the company acted quickly. Article reference:  https://www.theverge.com/2019/11/13/20963791/facebook-issue-fix-camera-open-background-update-ios-app-store
Post a Comment
Read more