European organisations attacked by JasperLoader malware

News by Rene Millman

Signed emails used to deliver banking trojans

Multiple spam campaigns have been observed by security researchers pushing malware and trojans to targets in Italy and Germany.

According to a blog post by researchers at Cisco Talos, the campaigns have used a malware loader they have dubbed JasperLoader.

The researchers said such attacks have become more frequent in recent months, and the third in the last 12 months alongside Smoke Loader and Brushaloader earlier this year. Researchers said that loaders allow attackers to decide which malware to drop based on how they feel they can best monetise the access they gained.

They added that JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. "It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process," they said.

Researchers saw several spam campaigns with signed emails attempting to infect victims with JasperLoader and ultimately the Gootkit banking trojan

"Message signing makes use of certificates' verification to confirm the authenticity of the person sending the email, as only those with access to the private keys should be able to sign the message," they said.

Researchers added that they have identified several malicious campaigns making use of this type of message signing as a way to lend credibility to their messages and maximize the likelihood that potential victims will open the malicious attachments.

They said that each campaign was also relatively localised and featured multiple languages specific to each of the countries that were being targeted.

One campaign used a Visual Basic for Applications (VBS) script that was responsible for initiating the JasperLoader infection process. The campaigns targeting Germany were some of the only ones that were observed using VBS files to initiate the JasperLoader infection. Most of the attacks generally used DOCM files to download JasperLoader, and ultimately Gootkit.

"In addition to the campaigns using malicious DOCM files to distribute JasperLoader, we also observed messages containing malicious JS downloaders. There were also some campaigns that featured legitimate and malicious file attachments," said researchers.

Ominously, the campaign used Posta Elettronica Certificata (PEC) (widely used in Italy, Switzerland and Hong Kong to enable people to send registered email messages), to "maximize the likelihood that potential victims will open the malicious attachments."
Once JasperLoader is installed on a system, if the language set is associated with Russia, Ukraine, Belarus, or the People's Republic of China, the infection process terminates.

The malware also creates a bot ID and transmits this information to a C2 server to register itself. JasperLoader also can be updated by hackers. It can also run Powershell commands and download the Gootkit malware.

"While it is currently being used to spread the Gootkit banking trojan, it will likely be used to distribute additional malware payloads in the future, as it has been designed in a way that allows the operators of the loader's infrastructure to use it for new payloads in the future as they choose to monetize their operation in different ways," said researchers.

"The choice to abuse certified email services such as PEC demonstrates that as attackers are always looking for new ways to lend credibility to their social engineering attacks. In this case, abusing a legitimate email service allowed them to deliver their malicious emails in a way that would maximize the likelihood that a potential victim would open the attachments and infect themselves with JasperLoader."

Dr Simon Wiseman, CTO of Deep Secure, told SC Media UK that keeping anti-malware defences up-to-date with the latest signatures may help but ultimately the bad guys just modify the signature of the malware and continue their campaign.

"This really highlights the problem with detection. To truly defend against these types of attacks, organisations need to do away with the industry-standard "detect and protect" cybersecurity strategy and leverage Content Threat Removal-as-a-service (CTRaaS) solutions that guarantee to defeat 100% of content threats, rather than the "95%, best endeavours" approach that is typical across the cybersecurity industry," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews