Researchers from Cisco Talos have discovered a new sophisticated piece of malware that uses multiple cloud services such as Twitter, ImgBB, Google Forms and Google Drive to evade detection. The new Python-based remote access trojan (RAT) named JhoneRat targets a specific set of Arabic-speaking countries (by checking the keyboard layout of the infected systems), including Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon. The campaign has started in November 2019 and it is still ongoing.

Once downloaded, the RAT collects information on the victims’ computers and is also able to download additional payloads. Unlike similar malware, JhoneRAT is written from scratch and is based on a non-open source code.

The malware is delivered via series of weaponized Microsoft Word documents that request the victim to enable editing. To avoid security mechanisms that detect macros in Word documents, the initial document does not contain any macros. Instead, it uses a reference to an externally attached template located on Google Drive, which will cause Microsoft Word to download another document (the template) containing the malicious macro if the victim enables editing.

“The macro contains a virtual machine detection technique based on the serial number of the disks available in the victim environment. Indeed, some VMs do not have serial numbers and the macro is executed only if a serial number exists. A WMIC command is executed to get this information on the targeted system,” the researchers noted.

After the check has been completed, the macro in the template document then downloads a JPEG image, also from Google Drive. This file contains valid image data that looks like a normal picture. Appended to the end of the image file is Base64-encoded data that decodes to a binary executable malware file which downloads JhoneRAT.

The malware uses three different cloud services to perform all its command and control (C2) activities - a Twitter account (to retrieve instructions from its C2 server every ten seconds), ImgBB (to upload screenshots and download additional payloads), and Google Forms (to send the stolen data to the RAT’s operator).

“This campaign shows a threat actor interested in specific Middle Eastern and Arabic-speaking countries. It also shows us an actor that puts effort in opsec by only using cloud providers. The malicious documents, the droppers and the RAT itself are developed around cloud providers. Additionally the attackers implemented anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the analyst,” the research team concludes.