Researchers have uncovered a new Windows-based remote access tool (RAT) named JhoneRat targeting Arabic-speaking countries including Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.
This new Trojan is quite sophisticated as the attackers use multiple cloud services such as Twitter, Google Forms and Google Drive to conceal it from virtual machines and analysis.
So what makes this new data stealer stand out? Unlike similar malware, this homemade RAT was developed in Python using a non-open source code to trick local security on the device, and it uses highly trusted cloud services to drop malware.
In this case, the malicious campaign is executed via an infected document on Google Drive. In the reconnaissance phase of the attack, the RAT filters its victims by checking the keyboard layout of infected devices. During the investigation, the Cisco Talos research team identified three Microsoft Office documents that were used:
- ‘Urgent.docx’ – initial document from November 2019 where the user is asked to enable editing in English and Arabic
- ‘fb.docx’ – the second document from the beginning of January that contains a list of leaked Facebook accounts from 2019
- A blurred-out document allegedly from an UAE organization – the recipient is asked to enable editing to read it
In each case, an additional Microsoft Office document with a macro is executed, landing the second payload, an image file (.jpg, img.jpg or photo.jpg) with a base64-encoded binary appended at the end. Seems like the attackers even have a sense of humor. Two of the images discovered by researchers represent characters such as Mickey Mouse or Mr. Bean.
Once the image is opened, another binary (AutoIT) is downloaded from Google Drive again. The last payload downloaded is actually the JhoneRAT itself.
The RAT can take screenshots and upload them to ImgBB, download additional binaries, execute commands and send the output to Google Forms.
Even if the malware is out in the open, researchers advise that the JhoneRat operation is still a work in progress and new malicious documents may appear. Users are advised not to open any suspicious files or enable macros in the Microsoft suite. You can also add to your device security by using an antivirus solution that detects JhoneRat. Bitdefender detects the files as Trojan.GenericKD.42247033 and Trojan.GenericKD.42249088