Skip to main content

New JhoneRAT Malware Targets Middle East



Researchers say that JhoneRAT has various anti-detection techniques — including making use of Google Drive, Google Forms and Twitter.
Researchers are warning of a new remote access trojan (RAT), dubbed JhoneRAT, which is being distributed as part of an active campaign, ongoing since November 2019, that targets victims in the Middle East. Once downloaded, the RAT gathers information on the victims’ computers and is also able to download additional payloads.
Evidence shows that the attackers behind JhoneRAT have taken extra steps to ensure the RAT is being distributed to Arabic-speaking victims. Researchers note that the attackers have also made use of various cloud services, such as Google Drive and Google Forms, as part of the payload’s infection process.
“The campaign shows an actor that developed a homemade RAT that works in multiple layers hosted on cloud providers,” said researchers with Cisco Talos in a Thursday analysis. “JhoneRAT is developed in Python but not based on public source code, as it is often the case for this type of malware. The attackers put great effort to carefully select the targets located in specific countries based on the victim’s keyboard layout.”
The RAT is first spread to victims via malicious Microsoft Office documents. Threatpost has reached out to researchers to clarify whether those documents are spread via email or other methods.
Researchers identified three malicious documents distributing JhoneRAT: the oldest, from November 2019, is called “Urgent.docx.” The second document is from the beginning of January 2019, named “fb.docx,” and contains usernames and passwords from an alleged “Facebook” leak. A final, more recent document is from mid-January and purports to be from a United Arab Emirate organization. The author blurred the content of the document and asks the user to enable editing to see the content.
Once the user either opens the document or enable editing, the malicious documents then downloads an additional Office document from Google Drive with an embedded Macro.
Interestingly, the attackers use multiple cloud services — Google Drive, Twitter, and Google Forms, for instance — to eventually download the payload. While it should be noted that this is not the first time an attacker used cloud provider platforms in this way, researchers say this method helps the bad actor evade detection and defenders.
“It is hard for the targets to identify legitimate and malicious traffic to cloud provider infrastructure,” said researchers. “Moreover, this kind of infrastructure uses HTTPS and the flow is encrypted that makes man-in-the-middle interception more complicated for the defender.”
Once the document is downloaded onto Google Drive, a command is then executed to download an image from a new Google Drive link (with a base64-encoded binary appended at the end). The filename of the image is either cartoon.jpg, img.jpg, or photo.jpg, and the image usually depicts a cartoon (such as the cartoon shown here), said researchers.
“It is interesting to note that the filename of the downloaded image is randomly generated based on a dictionary: Array (“cartoon,” “img,” “photo”),” they noted.
Once decoded, the base64 binary is an AutoIT binary, which drops a new file on Google Drive. This file contains the final payload, JhoneRAT, which starts by launching three threads: One responsible for checking if the system has a targeted keyboard layout (to check that the victim speaks Arabic), the second to create persistence, and the third to start the main cycle of the RAT.
From there, data exfiltration, (such as screenshots of the system) are sent via ImgBB, a free image hosting and sharing service. Commands are also sent by posting data to Google Forms (a survey administration app that is included in the Google Drive office suite); and files continue to be downloaded in Google Drive.
“This RAT uses three different cloud services to perform all its command and control (C2) activities. It checks for new commands in the tweets from the handle @jhone87438316 (suspended by Twitter) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets,” said researchers.
The RAT also uses other techniques to avoid detection, virtual machines, and analysis. The macro contains a virtual machine detection technique based on the serial number of the disks available in the victim environment.
“Additionally the attackers implemented anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the analyst. For example, the VM or the sandbox must have the keyboard layout of the targeted countries and a disk serial number,” said researchers.
Researchers said that the campaign is ongoing.
“At this time, the API key is revoked and the Twitter account is suspended. However, the attacker can easily create new accounts and update the malicious files in order to still work. This campaign shows us that network-based detection is important but must be completed by system behavior analysis,” they said.

Originally published at https://threatpost.com 

Comments

Post a Comment

Popular posts from this blog

Google can now help you figure out that song stuck in your head - all you have to do is hum (or whistle) into your phone

  Google just launched its “hum to search” feature, which allows users to hum, whistle, or sing for 10–15 seconds in order to identify a song. The feature currently works in 20 languages, and Google hopes to add more. Google has finally launched the perfect feature for when a song is stuck in your head but you don’t know any of the words. “Hum to search” launched today on both the Google app for iOS and Android, according to Google’s blog, The Keyword. Users can also whistle or sing directly into the mic to identify a song. The technology works like this: the user can hum (whistle, or sing) for 10–15 seconds, and then Google’s technology takes the song’s melody and turns it into a numbers-based sequence. From there, the sequence can be used to “identify songs based on a variety of sources, including humans singing, whistling or humming, as well as studio recordings,” according to Google’s announcement. The sequence also strips away any other outside noise, like accompanying instru...
Post a Comment
Read more

Ransomware's Dangerous New Trick Is Double-Encrypting Your Data

  Ransomware groups have always taken a more-is-more approach . If a victim pays a ransom and then goes back to business as usual-hit them again. Or don’t just encrypt a target’s systems; steal their data first, so you can threaten to leak it if they don’t pay up. The latest escalation? Ransomware hackers who encrypt a victim’s data twice at the same time. Double-encryption attacks have happened before, usually stemming from two separate ransomware gangs compromising the same victim at the same time. But antivirus company Emsisoft says it is aware of dozens of incidents in which the same actor or group intentionally layers two types of ransomware on top of each other. “The groups are constantly trying to work out which strategies are best , which net them the most money for the least amount of effort,” says Emsisoft threat analyst Brett Callow. “So in this approach you have a single actor deploying two types of ransomware. The victim decrypts their data and discovers it’s not act...
Post a Comment
Read more

WhatsApp Users Exchanged Over 100 Billion Messages on New Year’s Eve, A New Record

WhatsApp is one of the most widely used communication apps on the planet and as such, clocks an insane number of messages and media exchanges on a daily basis. But the New Year's Eve broke a record that has been standing since WhatsApp's debut a decade ago. WhatsApp has revealed that users exchanged over 100 billion messages on New Year's eve. And out of that number, more than 20 billion messages were shared by Indian users alone. Moreover, around 12 billion out of the 100 billion+ messages shared on the platform were images. WhatsApp wrote in a press release that over 100 billion messages were shared globally on December 31 in the 24-hour duration leading up to the midnight of New Year's Eve. This is a record-breaking volume and is the highest number of messages exchanged in a single day ever since WhatsApp kicked off its services ten years ago. Out of those 100 billion+ messages shared on New Year's eve, WhatsApp says over 12 billion were images. Meanwhile...
Post a Comment
Read more