Windows 10 News and info | Forum
November 19, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Europeans Hit with Multi-Stage Malware Loader via Signed Malspam  (Read 103 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 30713

I Do Windows

WWW Email
« on: April 28, 2019, 03:16:18 PM »

Multiple malicious spam campaigns using signed emails have been observed while distributing the GootKit (aka talalpek or Xswkit) banking Trojan with the help of a multi-stage malware loader dubbed JasperLoader over the past few months.

This loader is the third one detected by Cisco Talos' research team since July 2018, with Smoke Loader (aka Dofoil) being employed by threat actors to drop ransomware or cryptocurrency miner payloads last year, while Brushaloader was identified during early 2019 and seen while making use of Living-of-the-Land (LotL) tools such as PowerShell scripts to remain undetected on compromised systems.

Malware loaders are popular tools for adversaries who want to make the job of dropping various malware payloads onto to their victims' machines easier because they make it possible to maximize their profits by switching the pushed malware to one suited to the infected computer.

The current loader tracked by Cisco Talos is JasperLoader and its activity has been picking up during the past months, with malspam campaign operators distributing it to targets from Central Europe, with an apparent focus on Italian and German targets.

Malspam email samples

"JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make the analysis more difficult," says Cisco Talos. "It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process."

As unearthed by the researchers, JasperLoader has been disseminated by multiple malspam campaigns throughout the last months and it has been used to drop the Gootkit banking Trojan previously distributed by DanaBot, Neutrino exploit kit and Emotet which acts as a backdoor and can steal sensitive user information.

The various malicious campaigns detected by Cisco Talos are localized to match the European country they are targeting, while the attachments employed to start the JasperLoader infection contain either a Visual Basic for Applications (VBS) script or a DOCM document with VBA macros, both of them used to initiate the payload download process.

The researchers also noticed "messages containing malicious JS downloaders. There were also some campaigns that featured legitimate and malicious file attachments. For example, some of the observed campaigns included ZIP files containing JS and XML files and benign PDF invoices."

Certificate properties and details

What makes some of these malspam campaigns very dangerous is the fact that the attackers use legitimate certified email services such as Posta Elettronica Certificata (PEC) used in Italy, Switzerland and Hong Kong to send signed emails "to maximize the likelihood that they can convince potential victims to open their malicious emails."

After the JasperLoader malware loader successfully infects its targets, it will check its geolocation and terminate itself if the compromised machine is from Russia, Ukraine, Belarus, or People's Republic of China.

Next, it gains persistence by adding an LNK shortcut to itself to the infected system's Startup folder to get launched each time the machine is rebooted.

It will also generate a bot identifier which gets sent to the command-and-control (C2) server allowing it to register the machine to the operators' botnet and it goes in standby, waiting for commands from the C2 server.

JasperLoader allows the attackers to update the loader, to run Powershell-based arbitrary system commands, and, more importantly, to download the final Gootkit malware payload.

Downloading the final malware payload

Signing the malspam messages before sending them to their victims using valid certificates made it possible for the attackers behind JasperLoader malicious email campaigns to confirm their authenticity "as only those with access to the private keys should be able to sign the message."

In addition, "abusing a legitimate email service allowed them to deliver their malicious emails in a way that would maximize the likelihood that a potential victim would open the attachments and infect themselves with JasperLoader," concluded Cisco Talos.

Indicators of compromise (IOCs) are also provided by the Cisco Talos' research team in the form of SHA256 attachment hashes, list of used domains and IP addresses.

« Last Edit: April 28, 2019, 03:24:33 PM by javajolt » Logged

Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page November 18, 2019, 05:42:46 PM