Middle East: A new Remote Access Trojan (RAT) has been identified by researchers at Talos that is using malicious Word documents to target people in the Middle East who speak Arabic. The threat actor behind this campaign is using a series of three Microsoft documents that request the victim to enable editing. To avoid defenses that detect macros in Word documents, the initial document does not contain any macros. Instead, it uses a reference to an externally attached template, which will cause Microsoft Word to download another document (the template) containing the malicious macro if the victim enables editing. These documents are hosted through Google Drive, most likely as a way to avoid IP and URL blacklisting. The macro in the template document checks to make sure it is not running on a virtual machine, then downloads a JPEG image, also from Google Drive. The image file contains valid image data that appears to be a normal picture. Appended to the end of the image file is Base64-encoded data that decodes to a binary executable malware file. The purpose of that executable is to download JhoneRAT. The JhoneRAT is written in Python and compiled into an executable file using pyinstaller. It achieves persistence by adding an entry with the name “ChromeUpdater” to the Run key in the registry. Once loaded, the RAT will immediately begin harvesting information from the victim’s computer. The RAT was using a Twitter account to retrieve instructions from its command and control server every ten seconds, but the account has since been suspended by Twitter. Stolen screenshot images are uploaded to the cloud provider ImgBB while other stolen data is sent to the attacker via Google Forms. The RAT can download and execute additional Base64-encoded binary files from Google Drive. The RAT began spreading in November of 2019 and is targeting Saudi Arabia, Egypt, Iraq, Syria Algeria, Morocco, Tunisia, Oman, Yemen, UAE, Kuwait, Bahrain, and Lebanon.
Analyst Notes
It is not clear which threat actor is utilizing and spreading this RAT, but they are targeting people throughout the Middle East and those who speak Arabic by figuring out the victim’s keyboard layout and filtering out all non-Arabic layouts. The API key is revoked for the account by Twitter, but this will likely not stall operations as a new account can be easily created and used. Because of how the RAT is built, traditional defenses such as anti-virus, email threat scanning, and blocking known malicious IP addresses are ineffective. An effective defense against advanced attacks such as this one is endpoint monitoring that detects attacker behaviors, such as the Managed Detection and Response software built by Binary Defense and monitored by a 24/7/365 Security Operations Center.
Full analysis of the malware from Talos can be found here: https://blog.talosintelligence.com/2020/01/jhonerat.html
