Log in
Log in
Or log in with
GoogleGoogle
Twitter Twitter
Facebook Facebook
Apple Apple     
Sign up
Or log in with
GoogleGoogle
Twitter Twitter
Facebook Facebook
Apple Apple     

PROOFPOINT, INC.

(PFPT)
End-of-day quote Nasdaq  -  2021-08-29
175.90 USD   -0.02%
10/19Climb Channel Solutions Teams Up with Proofpoint to Bring People-Centric Cybersecurity Solutions to the Channel
CI
10/12Proofpoint Introduces Advanced Email Protection Integration with Microsoft Defender for Endpoint
CI
08/23Proofpoint Introduces Smarter Way to Stay Compliant with New Intelligent Compliance Platform
CI
SummaryQuotesChartsNewsRatingsCompanyFunds 
SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector news
Days
:
Hours
:
Minutes
:
Seconds

JSSLoader: Recoded and Reloaded

06/24/2021 | 10:29am EST
Key Takeaways
  • After a months-long absence, the malware loader JSSLoader returned in June 2021 campaigns rewritten from the .NET programming language to C++.
  • Rewriting the malware could be an effort by threat actors to evade current detections.
  • Current TA543 campaigns delivering JSSLoader are using similar lures to those observed by Proofpoint researchers in 2019 and the emails continue to contain links to a TDS landing page.
Overview

In June 2021, Proofpoint researchers observed a new variant of the downloader JSSLoader in several campaigns impacting a variety of organizations. This version of the malware loader was rewritten from .NET to the C++ programming language. This change, while not unheard of, is not a common occurrence and could be an effort by the threat actors utilizing JSSLoader to evade current detections. JSSLoader is often dropped in the first or second stage of a campaign and has the functionality to profile infected machines and load additional payloads.

The campaigns are ongoing and use similar lures to those initially observed by Proofpoint researchers in 2019. According to our data, the recent campaigns have attempted to target as many as several hundred organizations at a time across a wide range of industries, including finance, manufacturing, technology, retail, healthcare, education, and transportation.

Malware Analysis

Proofpoint researchers initially observed JSSLoader in September 2019. It was written in .NET at the time and being actively developed. Fast forward nearly two years and Proofpoint has now identified this latest variant of the malware loader written in C++. It has much of the same functionality as previous iterations. The following provides a more in-depth look at that early version and the changes the loader has undergone since 2019.

2019 Version of JSSLoader (.NET)

JSSLoader is an initial access malware that was written in .NET and was named after its 'JSS' namespace and 'jssAdmin' command and control (C&C) panel login page:

Figure 1. JSSLoader C&C panel login page from September 27, 2019 version.

Its C&C used HTTPS requests with base64-encoded data:

Figure 2. Example C&C request from September 27, 2019 version.

The initial C&C beacon contained verbose system information:

Figure 3. Example system information (trimmed for readability) from September 27, 2019 version.

Its commands and functionality focused on executing a next stage executable or JavaScript:

Figure 4. Commands from September 27, 2019 version.

2020-2021 JSSLoader Changes (.NET)

Since the initial version of JSSLoader, there have been gradual changes and improvements to the malware in successive campaigns. Morphisec wrote about some of these in a January 2021 paper titled 'Threat Profile the Evolution of the FIN7 JSSLoader (PDF).' Two of the most visible changes were a switch from the verbose system information to a JSON object and the addition of new commands. For example, the JSSLoader used in a December 14, 2020 email-based campaign sent the following system information:

Figure 5. Example system information (formatted and trimmed for readability) from December 14, 2020 version.

While the formatting changed, the beacon contained much of the same information as the original version. In addition to the changes in the C&C protocol, several new commands were added. The focus of the new commands was still on executing a next stage:

Figure 6. Commands from December 14, 2020 version.

After this December 2020 campaign, activity paused and the malware went through a redevelopment phase, according to Proofpoint's visibility.

June 2021 JSSLoader (C++)

In June 2021, email campaigns resumed, but the JSSLoader malware had been redeveloped from using the .NET programming language to C++ (this change was also noticed on infosec Twitter). It is not common for a malware to be redeveloped in a different programming language, but it does happen occasionally. Proofpoint recently documented another initial access malware known as 'Buer Loader' that was redeveloped from the C programming language to Rust. As noted in that blog post, rewriting a malware can enable threat actors to better evade existing detection capabilities.

The C++ version of JSSLoader analyzed here is from a June 8, 2021 email-based campaign. It sets up 'registry run' persistence using a value name of 'AppJSSLoader' and has similar style of system information beacon as the later .NET versions:

Figure 7. Example system information (formatted and trimmed for readability) from June 8, 2021 C++ version.

The C++ version also has similar command functionality, though they switched from the 'Cmd' prefix of the later .NET versions back to the 'Task' prefix seen in the earlier .NET samples:

Figure 8. Commands from June 8, 2021 C++ version.

C&C protocol and command similarity was likely a choice to remain backwards compatible with the existing .NET version's C&C panel software.

Campaign Details

JSSLoader appears to be exclusive to several threat actors. In fact, Proofpoint has only observed two actors using it since the first email campaign in 2019.

Most of the campaigns were attributed to the threat actor tracked by Proofpoint as TA543. They are characterized by their widespread distribution with opportunistic targeting. A typical campaign contains thousands of email messages and targets several hundred organizations. The lures used by TA543 typically focus on invoices and delivery information of packages.

The following sections describe and compare the original campaigns observed by Proofpoint in 2019 to the June 2021 campaigns.

September 2019 Campaign Example

On September 27, 2019 Proofpoint analysts observed a TA543 campaign spoofing Intuit branding. The threat actor used a likely compromised account for an email marketing service to send the malicious emails that purported to be invoices and contained URLs linking to a landing page hosting BlackTDS. The TDS would direct the user to the download another file, a VBS downloader, hosted on SharePoint. The VBS downloader would then download JSSLoader.

During our analysis of JSSLoader, it additionally loaded a Griffon payload which is historically associated with another actor, TA3546, also known as FIN7 or Carbanak. In the following months Proofpoint analysts observed TA543 shift to primarily delivering JSSLoader and/or other loaders that were often observed downloading other TA3546-associated payloads.

Figure 9. TA543 email that leads to the download of JSSLoader.

June 2021 Campaign Example

On June 8, 2021, Proofpoint analysts observed a TA543 campaign spoofing UPS branding (Figure 10). The email contained URLs linking to a Keitaro TDS landing. In turn, the landing linked to the download of a Windows Scripting File (WSF) hosted on SharePoint. If executed, it downloaded an intermediate script, which then downloaded and executed the C++ version of JSSLoader.

Figure 10. TA543 email sample from June 8, 2021, that leads to the download of JSSLoader.

Conclusion

The threat actors behind JSSLoader have continuously made modifications since its debut in 2019 and are likely to continue doing so using the 2021 variant. With the redevelopment of the malware into C++, which was possibly done to evade current detections and make analysis more difficult, Proofpoint researchers have not seen the .NET version in play. Instead, researchers anticipate seeing small refinements being made to the 2021 version in future campaigns, keeping in line with the evolution of the .NET version over the past two years.

Indicators of Compromise

Indicator

Type

Notes

dd86898c784342fc11c42bea4c815cb536455ee709e7522fb64622d9171c465d

SHA256

September 27, 2019 JSSLoader Sample

bikweb.com

Hostname

September 27, 2019 JSSLoader C&C

a062a71a6268af048e474c80133f84494d06a34573c491725599fe62b25be044

SHA256

December 14, 2020 JSSLoader sample

monusorge.com

Hostname

December 14, 2020 JSSLoader C&C

7a17ef218eebfdd4d3e70add616adcd5b78105becd6616c88b79b261d1a78fdf

SHA256

June 8, 2021 JSSLoader Sample

injuryless.com

Hostname

June 8, 2021 JSSLoader C&C

ET Signatures 

2033072 - ET TROJAN FIN7 JSSLoader Variant Activity (POST) 

2033074 - ET TROJAN FIN7 JSSLoader Variant Activity (GET) 

2838606 - ETPRO TROJAN Win32/jssLoader CnC Activity 

2838607 - ETPRO TROJAN Win32/jssLoader CnC Checkin 

2842028 - ETPRO TROJAN JSSLoader CnC Host Checkin 

Disclaimer

Proofpoint Inc. published this content on 24 June 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 24 June 2021 14:28:08 UTC.


ę Publicnow 2021
All news about PROOFPOINT, INC.
10/19Climb Channel Solutions Teams Up with Proofpoint to Bring People-Centric Cybersecurity ..
CI
10/12Proofpoint Introduces Advanced Email Protection Integration with Microsoft Defender for..
CI
08/23Proofpoint Introduces Smarter Way to Stay Compliant with New Intelligent Compliance Pla..
CI
06/14Proofpoint Inc. Announces CASB Integration to Protect 7,000+ Okta-Federated Cloud Apps ..
CI
03/21Proofpoint Appoints Ashan Willy as Chief Executive Officer
CI
03/03European officials aiding Ukrainian refugees targeted with malware -researchers
RE
03/02Splunk Fiscal Q4 Results Rise; Offers Guidance; Names Gary Steele CEO
MT
03/02Proofpoint, Inc. Announces Chief Executive Officer Changes
CI
01/13Mimecast spurns Proofpoint's higher take-private bid over antitrust concerns
RE
01/13Mimecast Draws Higher Bid from Security Rival Proofpoint
CI
More news
Analyst Recommendations on PROOFPOINT, INC.
More recommendations
Chart PROOFPOINT, INC.
Duration : Period :
Proofpoint, Inc. Technical Analysis Chart | MarketScreener
Full-screen chart
Managers and Directors
Ashan Willy Chief Executive Officer
Paul R. Auvil Chief Financial & Accounting Officer
Gary Leigh Steele Chairman
Marcel DePaolis Chief Technical Officer
Lyn Campbell SVP-Global Operations & Information Technology
Sector and Competitors
1st jan.Capi. (M$)
PROOFPOINT, INC.0.00%10 160
ACCENTURE PLC-28.50%186 756
TATA CONSULTANCY SERVICES LTD.-9.33%151 725
INTERNATIONAL BUSINESS MACHINES CORPORATION9.37%134 145
AUTOMATIC DATA PROCESSING, INC.4.77%109 494
INFOSYS LIMITED-13.35%83 941