Researchers are warning of a new remote access trojan (RAT), dubbed JhoneRAT, which is being distributed as part of an active campaign, ongoing since November 2019, that targets victims in the Middle East. Once downloaded, the RAT gathers information on the victims’ computers and is also able to download additional payloads.
Evidence shows that the attackers behind JhoneRAT have taken extra steps to ensure the RAT is being distributed to Arabic-speaking victims. Researchers note that the attackers have also made use of various cloud services, such as Google Drive and Google Forms, as part of the payload’s infection process.
“The campaign shows an actor that developed a homemade RAT that works in multiple layers hosted on cloud providers,” said researchers with Cisco Talos in a Thursday analysis. “JhoneRAT is developed in Python but not based on public source code, as it is often the case for this type of malware. The attackers put great effort to carefully select the targets located in specific countries based on the victim’s keyboard layout.”
The RAT is first spread to victims via malicious Microsoft Office documents. Threatpost has reached out to researchers to clarify whether those documents are spread via email or other methods.
Researchers identified three malicious documents distributing JhoneRAT: the oldest, from November 2019, is called “Urgent.docx.” The second document is from the beginning of January 2019, named “fb.docx,” and contains usernames and passwords from an alleged “Facebook” leak. A final, more recent document is from mid-January and purports to be from a United Arab Emirate organization. The author blurred the content of the document and asks the user to enable editing to see the content.
Once the user either opens the document or enable editing, the malicious documents then downloads an additional Office document from Google Drive with an embedded Macro.
Interestingly, the attackers use multiple cloud services – Google Drive, Twitter, and Google Forms, for instance – to eventually download the payload. While it should be noted that this is not the first time an attacker used cloud provider platforms in this way, researchers say this method helps the bad actor evade detection and defenders.
“It is hard for the targets to identify legitimate and malicious traffic to cloud provider infrastructure,” said researchers. “Moreover, this kind of infrastructure uses HTTPS and the flow is encrypted that makes man-in-the-middle interception more complicated for the defender.”
Once the document is downloaded onto Google Drive, a command is then executed to download an image from a new Google Drive link (with a base64-encoded binary appended at the end). The filename of the image is either cartoon.jpg, img.jpg, or photo.jpg, and the image usually depicts a cartoon (such as the cartoon shown here), said researchers.
“It is interesting to note that the filename of the downloaded image is randomly generated based on a dictionary: Array (“cartoon,” “img,” “photo”),” they noted.
Once decoded, the base64 binary is an AutoIT binary, which drops a new file on Google Drive. This file contains the final payload, JhoneRAT, which starts by launching three threads: One responsible for checking if the system has a targeted keyboard layout (to check that the victim speaks Arabic), the second to create persistence, and the third to start the main cycle of the RAT.
From there, data exfiltration, (such as screenshots of the system) are sent via ImgBB, a free image hosting and sharing service. Commands are also sent by posting data to Google Forms (a survey administration app that is included in the Google Drive office suite); and files continue to be downloaded in Google Drive.
“This RAT uses three different cloud services to perform all its command and control (C2) activities. It checks for new commands in the tweets from the handle @jhone87438316 (suspended by Twitter) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets,” said researchers.
The RAT also uses other techniques to avoid detection, virtual machines, and analysis. The macro contains a virtual machine detection technique based on the serial number of the disks available in the victim environment.
“Additionally the attackers implemented anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the analyst. For example, the VM or the sandbox must have the keyboard layout of the targeted countries and a disk serial number,” said researchers.
Researchers said that the campaign is ongoing.
“At this time, the API key is revoked and the Twitter account is suspended. However, the attacker can easily create new accounts and update the malicious files in order to still work. This campaign shows us that network-based detection is important but must be completed by system behavior analysis,” they said.
Concerned about mobile security? Check out our free Threatpost webinar, Top 8 Best Practices for Mobile App Security, on Jan. 22 at 2 p.m. ET. Poorly secured apps can lead to malware, data breaches and legal/regulatory trouble. Join our experts from Secureworks and White Ops to discuss the secrets of building a secure mobile strategy, one app at a time. Click here to register.