22 January 2020

New JhoneRat malware targets Middle Eastern countries using multiple cloud services


New JhoneRat malware targets Middle Eastern countries using multiple cloud services

Researchers from Cisco Talos have discovered a new sophisticated piece of malware that uses multiple cloud services such as Twitter, ImgBB, Google Forms and Google Drive to evade detection. The new Python-based remote access trojan (RAT) named JhoneRat targets a specific set of Arabic-speaking countries (by checking the keyboard layout of the infected systems), including Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon. The campaign has started in November 2019 and it is still ongoing.

Once downloaded, the RAT collects information on the victims’ computers and is also able to download additional payloads. Unlike similar malware, JhoneRAT is written from scratch and is based on a non-open source code.

The malware is delivered via series of weaponized Microsoft Word documents that request the victim to enable editing. To avoid security mechanisms that detect macros in Word documents, the initial document does not contain any macros. Instead, it uses a reference to an externally attached template located on Google Drive, which will cause Microsoft Word to download another document (the template) containing the malicious macro if the victim enables editing.

“The macro contains a virtual machine detection technique based on the serial number of the disks available in the victim environment. Indeed, some VMs do not have serial numbers and the macro is executed only if a serial number exists. A WMIC command is executed to get this information on the targeted system,” the researchers noted.

After the check has been completed, the macro in the template document then downloads a JPEG image, also from Google Drive. This file contains valid image data that looks like a normal picture. Appended to the end of the image file is Base64-encoded data that decodes to a binary executable malware file which downloads JhoneRAT.

The malware uses three different cloud services to perform all its command and control (C2) activities - a Twitter account (to retrieve instructions from its C2 server every ten seconds), ImgBB (to upload screenshots and download additional payloads), and Google Forms (to send the stolen data to the RAT’s operator).

“This campaign shows a threat actor interested in specific Middle Eastern and Arabic-speaking countries. It also shows us an actor that puts effort in opsec by only using cloud providers. The malicious documents, the droppers and the RAT itself are developed around cloud providers. Additionally the attackers implemented anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the analyst,” the research team concludes.

Back to the list

Latest Posts

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

The attack involves piggybacking C2 traffic on a legitimate traffic, thus allowing to bypass firewalls.
26 February 2020
PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020
Croatia’s largest petrol station chain joins list of victims of ransomware attacks

Croatia’s largest petrol station chain joins list of victims of ransomware attacks

The CLOP ransomware family is suspected to be involved in the attack.
21 February 2020