Delaware, USA – January 24, 2020 – The new trojan is distributed via phishing emails and does not activate if it does not detect Arabic when checking keyboard layouts. JhoneRAT malware was analyzed by researchers from Cisco Talos who discovered an ongoing campaign started in November 2019. The threat actor behind this campaign is interested in specific Middle Eastern and Arabic-speaking countries: Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon. Interestingly, attackers use cloud providers to infect victims and send commands: they misuse ImgBB, Google Forms, Google Drive, and Twitter as command-and-control infrastructure.
Researchers have discovered several types of lure emails containing attached MS Word documents asking the recipient to enable editing in Arabic and English. If the victim clicks the button, the script downloads an additional document hosted through Google Drive to avoid URL blacklisting. The downloaded document contains a malicious macro that gets a legitimate image file with a base64-encoded binary appended at the end and installs JhoneRAT on the system. After starting, the trojan collects information about the system and begins to check a public Twitter feed through which adversaries issue commands. Adversaries can publish commands to a single infected system, or all systems at once. The RAT can download files encoded in base64 on Google Drive, post data into Google Forms, and exfiltrate the screenshots via the ImgBB website. You can spot traces of this infection with Sysmon Framework rule pack that visualizes multiple security checks on Sysmon events and helps your security solution to uncover modern attacks that bypass traditional detection tools: https://my.socprime.com/en/integrations/sysmon-framework