Description
A new variant of the JSSLoader remote access malware is being propagated using malicious Microsoft Excel addins, according to researchers.
Summary
Since December 2020, a RAT (remote access trojan) linked to the financially motivated Russian hacker group FIN7, also known as “Carbanak,” has been circulating in the wild.
JSSLoader is a small, lightweight RAT that can exfiltrate data, establish persistence, fetch and load new payloads, and auto-update itself, among other things.
Threat analysts at Morphisec Labs discovered the latest campaign utilizing a stealthier updated version of JSSLoader, which says the distribution mechanism is currently phishing emails with XLL or XLM files.
Excel XLL add-ins are often used for legal purposes, such as importing data into a spreadsheet or increasing Excel”s functionality, therefore abuse is not new.
How it works
The threat actors utilize an unsigned file, Excel will display a clear warning to the victim about the dangers of running it. The XLL files when activated, load malicious code into memory via an xlAutoOpen method, then download the payload from a remote server and run it as a new process via an API call.
To avoid endpoint detection and response (EDR) systems that consolidate detection information from across the network, the threat actor updates the User-Agent on the XLL files on a regular basis.
The new JSSLoader has the same execution flow as previous versions, but it now contains a new layer of string obfuscation that includes renaming all functions and variables.
To avoid detection by defenders using string based YARA rules, the new RAT splits strings into sub-strings and concatenates them at runtime. Finally, the string decoding algorithm is simple to leave a small footprint and avoid detection by static threat scanners. These additional features, together with the use of XLL files, make detection by next-generation antivirus (NGAV) and EDR systems difficult, if not impossible.
This allows FIN7 to roam undetected in the infiltrated network for days or weeks before defenders load matching signatures on tools that supplement AI-based detection systems.
FIN7 is a cunning threat outfit that has previously given malware-laced USBs with teddy bear gifts, pretended to be a reputable security firm to engage network penetration experts, and distributed ransomware-carrying USBs by postal mail.
The new and stealthier version of JSSLoader is only one tool in their armory, allowing them to remain undetected in networks for extended periods of time.
Remediation
To prevent infection of this malware it is advised to only enable Excel Add-ins in files that are from reputable sources.
A list of detection names for JSSLoader can be found at the following URL:
JSSLoader may be running in Task Manager as MimiHealth.
Here are a few steps you can follow if you are or suspect that you are infected with this malware:
Download Autoruns. This is a program that will show all auto-start applications, Registry, and file system locations. You can download the program from this link: https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
Restart your computer in safe mode. You can learn how to do this at the following link: https://www.bitdefender.com/consumer/support/answer/2129/
Extract the downloaded archive and run the Autoruns.exe file.
In the Autoruns application, click “Options” at the top and uncheck “Hide Empty Locations” and “Hide Windows Entries” options. After this procedure, click the “Refresh” icon.
Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.
You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is especially important to avoid removing system files. After you locate the suspicious program, you wish to remove right click your mouse over its name and choose “Delete”.
After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.
Reboot your computer in normal mood.
The Guyana National CIRT recommends that users and administrations review this alert and apply it where necessary.
PDF Download: Malicious Microsoft Excel add-ins used to deliver RAT malware.pdf
References
Meskauskas, Tomas. (11th September 2021). How to remove JSSLOADER malware from the operating system. Retrieved from PC Risk: https://www.pcrisk.com/removal-guides/19822-jssloader-rat
Toulas, Bill. (24th March 2022). Malicious Microsoft Excel add-ins used to deliver RAT malware. Retrieved from Bleeping Computer: https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/