Middle East: A new Remote Access Trojan (RAT) has been identified by researchers at Talos that is using malicious Word documents to target people in the Middle East who speak Arabic. The threat actor behind this campaign is using a series of three Microsoft documents that request the victim to enable editing. To avoid defenses that detect macros in Word documents, the initial document does not contain any macros. Instead, it uses a reference to an externally attached template, which will cause Microsoft Word to download another document (the template) containing the malicious macro if the victim enables editing. These documents are hosted through Google Drive, most likely as a way to avoid IP and URL blacklisting. The macro in the template document checks to make sure it is not running on a virtual machine, then downloads a JPEG image, also from Google Drive. The image file contains valid image data that appears to be a normal picture. Appended to the end of the image file is Base64-encoded data that decodes to a binary executable malware file. The purpose of that executable is to download JhoneRAT. The JhoneRAT is written in Python and compiled into an executable file using pyinstaller. It achieves persistence by adding an entry with the name “ChromeUpdater” to the Run key in the registry.  Once loaded, the RAT will immediately begin harvesting information from the victim’s computer. The RAT was using a Twitter account to retrieve instructions from its command and control server every ten seconds, but the account has since been suspended by Twitter. Stolen screenshot images are uploaded to the cloud provider ImgBB while other stolen data is sent to the attacker via Google Forms. The RAT can download and execute additional Base64-encoded binary files from Google Drive. The RAT began spreading in November of 2019 and is targeting Saudi Arabia, Egypt, Iraq, Syria Algeria, Morocco, Tunisia, Oman, Yemen, UAE, Kuwait, Bahrain, and Lebanon.