Delaware, USA – May 24, 2019 – One of the relatively new malware downloaders was significantly improved by the authors after the publication of its analysis in the Cisco Talos blog. In April, the mass distribution of JasperLoader via a spam campaign targeted at Europeans was recorded. Adversaries leveraged it to deliver Gootkit banking Trojan, whose operators previously used the services of other downloaders, including infamous Emotet malware. After the release of the article, the adversaries turned off a malicious campaign in order to return with an updated version of malware in a few weeks. The current campaign is aimed mainly at victims in Italy. The new version of JasperLoader is equipped with the expanded killswitch: malware checks the language of the system and self-terminates if Chinese, Belarusian, Ukrainian, Russian, and now Romanian languages are detected. Malware also automatically terminates itself in case of detection of a virtual machine or sandbox, which significantly complicates its analysis. In addition to several obfuscation techniques used earlier, malware authors added a new layer of character replacement. To prevent the victim from suspecting anything while the second stage payload is being downloaded and launched, JasperLoader opens a PDF document to distract their attention. The mechanism for registering infected machines has been improved, and if the Command and Control server is disabled, the malware will generate several “backup” addresses depending on the date in the system and try to contact them.
The authors of JasperLoader actively develop their dropper and use it to deliver various banking Trojans. Yes, it is at least months away from the Emotet malware, but already represents a significant threat. To detect the execution of suspicious PowerShell commands, you can use the Sysmon Framework, free rule pack available in Threat Detection Marketplace: https://my.socprime.com/en/integrations/sysmon-framework-arcsight