- The latest version includes sandbox and virtual machine detection in order to stay ahead of anti-malware solutions.
- The infection process begins with a malicious VBS script.
A new variant of JasperLoader malware has been observed targeting Italian users. The new variant includes capabilities such as new anti-analysis mechanisms, extra layers of obfuscation and geofencing abilities.
What’s new about the malware?
The new JasperLoader variant continues to feature multiple stages which are used to gain persistence on systems and initiate communications with attacker-controlled infrastructure.
While the overall structure of the new variant remains the same, operators have added quite a few new modules and features to improve its evasion skills.
The latest version includes sandbox and virtual machine detection in order to stay ahead of anti-malware solutions, BleepingComputer reported.
How does the infection begin?
The infection process begins with a malicious VBS script. This VBS script is downloaded from a decoy PDF document that is designed to trick the victims.
To ensure that the attack is launched only on specific targets, the new variant comes with a kill switch.
Fallback C2 communication
The new JasperLoader version has also implemented a new bot registration and ID generation mechanism to create a unique identifier for each system.
In addition, it also includes a fallback command-and-control (C2) domain retrieval mechanism that enhances the time-based fluxing capabilities of the malware. In a situation where the default C2 server goes down, the current date on the system is used to generate a series of failback domains so that the malware can make connections with another C2 server.