Thursday, December 7, 2023

JhoneRAT – Hackers Launching New Cloud-based Python RAT to Steal Data From Google Drive, Twitter & Google Forms

Researchers uncovered a new cloud-based Python RAT “JhoneRAT” that spreading via weaponized MS word document to steal sensitive data from multiple cloud-based services such as Google Drive, Twitter, ImgBB and Google Forms.

JhoneRAT python RAT specifically targeting a very specific set of Arabic-speaking countries such as Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon.

Researchers discovered that the threat actors behind this attack developed a homemade RAT and carefully selected the targets in different countries based on the victim’s keyboard layout.

The RAT works in multiple layers that hosted in cloud providers and spreading via malicious documents to exploit the well-known vulnerabilities to download the additional payload.

To evade the blacklisting, attackers using well-known cloud provides such as Google and additional provides such as Twitter and ImgBB.

“The JhoneRAT malware is divided into a couple of layers — each layer downloads a new payload on a cloud provider to get the final RAT developed in Python”

Focusing on Different cloud services

Threat actors leveraging 4 different cloud service providers instead of their own infrastructure that helps to evade the detection and make it harder to differentiate malicious and legitimate traffic.

Since the well-known cloud services provider using HTTPS that makes MITM is complicated and hard to detect the malicious activities for defenders.

According to Talos Research ” Even while using these services, the authors of this JhoneRAT went further and used different user-agent strings depending on the request, and even on the downloaders, the authors used other user-agent strings. “

Infect the Target via Weaponised Document

Cisco researchers identified some of the malicious Microsoft Office documents that spreading via spam email campaigns that tempt victims to open by claiming the document contains a piece of urgent information.

The malicious document contains a Macro that gets executed once the victim opens the document by clicking the “Enable Editing”.

Several decoy document has been identified in the campaign, and the additional Office document containing a Macro which is downloaded and executed. The documents are located on Google Drive.

Malicious documents on Google Drive

Attackers following several infection stages to infect the victims using cloud services.

  1. Malicious template on Google Drive – The template located on Google Drive contains a macro. 
  2. Image file on Google Drive – Download the image file is a real image with a base64-encoded binary appended at the end.
  3. Autoit file – The decoded base64 data is an AutoIT binary. This binary downloads a new file on Google Drive.
  4. Python RAT using cloud providers – A final payload that drops remote access tool (RAT) written in Python.
screenshots are exfiltrated via the ImgBB

Researchers named the python RAT as JhoneRAT and the python code is wrapped into an executable using PyInsaller.

JhoneRAT also using 3 three commands:

  • Take a screenshot and upload it to ImgBB.
  • Download binary disguised has a picture from Google Drive and execute it.
  • Execute a command and send the output to Google Forms.

Using this Python RAT, Threat actors specifically targeting Middle Eastern and Arabic-speaking countries, Also they have implemented an anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the malware analyst. 




Latest articles

Bluetooth keystroke-injection Flaw: A Threat to Apple, Linux & Android Devices

An unauthenticated Bluetooth keystroke-injection vulnerability that affects Android, macOS, and iOS devices has been...

Atlassian Patches RCE Flaw that Affected Multiple Products

Atlassian has been discovered with four new vulnerabilities associated with Remote Code Execution in...

Reflectiz Introduces AI-powered Insights on Top of Its Smart Alerting System

Reflectiz, a cybersecurity company specializing in continuous web threat management, proudly introduces a new...

SLAM Attack Gets Root Password Hash in 30 Seconds

Spectre is a class of speculative execution vulnerabilities in microprocessors that can allow threat...

Akira Ransomware Exploiting Zero-day Flaws For Organization Network Access

The Akira ransomware group, which first appeared in March 2023, has been identified as...

Hackers Deliver AsyncRAT Through Weaponized WSF Script Files

The AsyncRAT malware, which was previously distributed through files with the .chm extension, is now being...

BlueNoroff: New Malware Attacking MacOS Users

Researchers have uncovered a new Trojan-attacking macOS user that is associated with the BlueNoroff APT...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles