Researchers have uncovered a new Windows-based remote access
tool (RAT) named JhoneRat targeting Arabic-speaking countries including Saudi
Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE,
Kuwait, Bahrain and Lebanon.
This new Trojan is quite sophisticated as the attackers use
multiple cloud services such as Twitter, Google Forms and Google Drive to
conceal it from virtual machines and analysis.
So what makes this new data stealer stand out? Unlike
similar malware, this homemade RAT was developed in Python using a non-open
source code to trick local security on the device, and it uses highly trusted
cloud services to drop malware.
In this case, the malicious campaign is executed via an
infected document on Google Drive. In the reconnaissance phase of the attack,
the RAT filters its victims by checking the keyboard layout of infected
devices. During the investigation, the Cisco Talos
research team identified three Microsoft Office documents that were used:
- ‘Urgent.docx’ – initial document from November
2019 where the user is asked to enable editing in English and Arabic - ‘fb.docx’ – the second document from the beginning
of January that contains a list of leaked Facebook accounts from 2019 - A blurred-out document allegedly from an UAE
organization – the recipient is asked to enable editing to read it
In each case, an additional Microsoft Office document with a macro is executed, landing the second payload, an image file (.jpg, img.jpg or photo.jpg) with a base64-encoded binary appended at the end. Seems like the attackers even have a sense of humor. Two of the images discovered by researchers represent characters such as Mickey Mouse or Mr. Bean.
Once the image is opened, another binary (AutoIT) is downloaded from Google Drive again. The last payload downloaded is actually the JhoneRAT itself.
The RAT can take screenshots and upload them to ImgBB,
download additional binaries, execute commands and send the output to Google
Forms.
Even if the malware is out in the open, researchers advise
that the JhoneRat operation is still a work in progress and new malicious
documents may appear. Users are advised not to open any suspicious files or
enable macros in the Microsoft suite. You can also add to your device security
by using an antivirus solution that detects JhoneRat. Bitdefender detects the
files as Trojan.GenericKD.42247033 and Trojan.GenericKD.42249088