Researchers have uncovered a new Windows-based remote access tool (RAT) named JhoneRat targeting Arabic-speaking countries including Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.
This new Trojan is quite sophisticated as the attackers use multiple cloud services such as Twitter, Google Forms and Google Drive to conceal it from virtual machines and analysis.
So what makes this new data stealer stand out? Unlike similar malware, this homemade RAT was developed in Python using a non-open source code to trick local security on the device, and it uses highly trusted cloud services to drop malware.
In this case, the malicious campaign is executed via an infected document on Google Drive. In the reconnaissance phase of the attack, the RAT filters its victims by checking the keyboard layout of infected devices. During the investigation, the Cisco Talos research team identified three Microsoft Office documents that were used:
In each case, an additional Microsoft Office document with a macro is executed, landing the second payload, an image file (.jpg, img.jpg or photo.jpg) with a base64-encoded binary appended at the end. Seems like the attackers even have a sense of humor. Two of the images discovered by researchers represent characters such as Mickey Mouse or Mr. Bean.
Once the image is opened, another binary (AutoIT) is downloaded from Google Drive again. The last payload downloaded is actually the JhoneRAT itself.
The RAT can take screenshots and upload them to ImgBB, download additional binaries, execute commands and send the output to Google Forms.
Even if the malware is out in the open, researchers advise that the JhoneRat operation is still a work in progress and new malicious documents may appear. Users are advised not to open any suspicious files or enable macros in the Microsoft suite. You can also add to your device security by using an antivirus solution that detects JhoneRat. Bitdefender detects the files as Trojan.GenericKD.42247033 and Trojan.GenericKD.42249088
tags
Alina is a history buff passionate about cybersecurity and anything sci-fi, advocating Bitdefender technologies and solutions. She spends most of her time between her two feline friends and traveling.
View all postsNovember 14, 2024
September 06, 2024