Researchers at Cisco Talos are warning of a new remote access trojan (RAT) dubbed JhoneRAT, targeting victims in the Middle East.
Researchers explained that JhoneRAT is sent to victims via malicious Microsoft Office documents.
Three malicious documents distributing JhoneRAT were identified – the oldest being from November 2019, named “Urgent.docx”. The second document, “fb.docx” is from January 2019, and contains usernames and passwords from an alleged Facebook leak.
The third and most recent malicious document is from mid-January and alleges to be from a United Arab Emirate organisation.
The documents are blurred, thus in order for the user to see the full content they have to enable editing. Subsequently, when the user enables editing or opens the document, an additional Office document from Google Drive with an embedded Macro is downloaded.
The attackers utilise multiple cloud services, including Google Drive, Twitter and Google Forms to eventually download the payload.
“The fact that this attacker decided to leverage cloud services and four different services — and not their own infrastructure — is smart from an opsec point of view,” the researchers say.
“It is hard for the targets to identify legitimate and malicious traffic to cloud provider infrastructure. Moreover, this kind of infrastructure uses HTTPS and the flow is encrypted that makes man-in-the-middle interception more complicated for the defender. It is not the first time an attacker used only cloud providers.”
Once the document is downloaded, an image from a new Google Drive link is downloaded. The file name of the image is randomly generated based on a dictionary. The researchers note that the image files is a real image with a base64-encoded binary appended at the end.
Once decoded, the binary downloads a new file on Google Drive, which contains the payload. The payload, JhoneRAT starts by launching three threads; one which is responsible for checking if the system has a targeted keyboard layout, the second to create persistence and the third to start the main cycle of the RAT.
From there, screenshots of the system and other data exfiltration methods are sent via ImgBB, and commands are executed, to which the output is sent to Google Forms.
“This RAT uses three different cloud services to perform all its command and control (C2) activities. It checks for new commands in the tweets from the handle @jhone87438316 (suspended by Twitter) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets,” said researchers.
Researchers explained that the campaign has been ongoing since November 2019.
“At this time, the API key is revoked and the Twitter account is suspended. However, the attacker can easily create new accounts and update the malicious files in order to still work. This campaign shows us that network-based detection is important but must be completed by system behavior analysis,” they said.
The post #Privacy: New JhoneRAT malware has appeared in the Middle East appeared first on PrivSec Report.