Researchers have observed a new version of the JSSLoader RAT spreading via malicious Microsoft Excel add-ins. Linked to the Russian threat group FIN7, the RAT has been in the wild since December 2020.
How does the new JSSLoader variant work?
Researchers from Morphisec Labs disclosed an attack campaign using a new and stealthier version of JSSLoader.
The attackers used phishing emails laden with XLL/XLM attachments as the delivery mechanism.
There is an unsigned file enclosed within, for which Excel displays a clear warning to victims about the risks of opening or executing it.
If enabled, the XLL files use malicious code inside an xlAutoOpen function to insert into memory.
Subsequently, it downloads a payload from a remote server and runs it as a new process via an API call.
Notably, the new version of JSSLoader has the same execution flow as the older versions.
Detection evasion mechanisms
The latest variant comes with some new layers of obfuscation to keep itself hidden from security analysts.
The attackers are regularly refreshing the User-Agent on the XLL files to avoid Endpoint Detection and Response (EDR), which combines the detection information from the entire network of the organization.
The latest variant comes with a new layer of string obfuscation, which includes renaming all functions/variables.
To avoid the detection by string-based YARA rules used by traditional security solutions, the new version has split the strings into substrings and uses them together in a chain at runtime.
Additionally, the decoding mechanism of the string leaves a minimal footprint. This limits the chances of being detected by static threat scanners.
The use of the XLL file delivery to spread the new version of JSSLoader RAT is a clever attempt by attackers to slip past defenses. It let FIN7 members target a network undeterred for multiple days or even weeks. Organizations need to have intrusion detection systems or intrusion prevention systems as a part of their security and protection strategy to thwart such threats.