22 January 2020

New JhoneRat malware targets Middle Eastern countries using multiple cloud services


New JhoneRat malware targets Middle Eastern countries using multiple cloud services

Researchers from Cisco Talos have discovered a new sophisticated piece of malware that uses multiple cloud services such as Twitter, ImgBB, Google Forms and Google Drive to evade detection. The new Python-based remote access trojan (RAT) named JhoneRat targets a specific set of Arabic-speaking countries (by checking the keyboard layout of the infected systems), including Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon. The campaign has started in November 2019 and it is still ongoing.

Once downloaded, the RAT collects information on the victims’ computers and is also able to download additional payloads. Unlike similar malware, JhoneRAT is written from scratch and is based on a non-open source code.

The malware is delivered via series of weaponized Microsoft Word documents that request the victim to enable editing. To avoid security mechanisms that detect macros in Word documents, the initial document does not contain any macros. Instead, it uses a reference to an externally attached template located on Google Drive, which will cause Microsoft Word to download another document (the template) containing the malicious macro if the victim enables editing.

“The macro contains a virtual machine detection technique based on the serial number of the disks available in the victim environment. Indeed, some VMs do not have serial numbers and the macro is executed only if a serial number exists. A WMIC command is executed to get this information on the targeted system,” the researchers noted.

After the check has been completed, the macro in the template document then downloads a JPEG image, also from Google Drive. This file contains valid image data that looks like a normal picture. Appended to the end of the image file is Base64-encoded data that decodes to a binary executable malware file which downloads JhoneRAT.

The malware uses three different cloud services to perform all its command and control (C2) activities - a Twitter account (to retrieve instructions from its C2 server every ten seconds), ImgBB (to upload screenshots and download additional payloads), and Google Forms (to send the stolen data to the RAT’s operator).

“This campaign shows a threat actor interested in specific Middle Eastern and Arabic-speaking countries. It also shows us an actor that puts effort in opsec by only using cloud providers. The malicious documents, the droppers and the RAT itself are developed around cloud providers. Additionally the attackers implemented anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the analyst,” the research team concludes.

Back to the list

Latest Posts

Hackers probing the Internet for vulnerable Microsoft Exchange servers

Hackers probing the Internet for vulnerable Microsoft Exchange servers

Exchange servers admins are urged to patch their servers before hackers could get to them.
28 February 2020
New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

New Wi-Fi chip bug affects over a billion of devices, including smartphones, tablets, laptops, and IoT gadgets

Devices from Amazon, Apple, Google, and Samsung as well as some access points by Asus and Huawei, are found to be vulnerable to Kr00k.
27 February 2020
‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

The attack involves piggybacking C2 traffic on a legitimate traffic, thus allowing to bypass firewalls.
26 February 2020