Friday, March 29, 2024

JhoneRAT – Hackers Launching New Cloud-based Python RAT to Steal Data From Google Drive, Twitter & Google Forms

Researchers uncovered a new cloud-based Python RAT “JhoneRAT” that spreading via weaponized MS word document to steal sensitive data from multiple cloud-based services such as Google Drive, Twitter, ImgBB and Google Forms.

JhoneRAT python RAT specifically targeting a very specific set of Arabic-speaking countries such as Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon.

Researchers discovered that the threat actors behind this attack developed a homemade RAT and carefully selected the targets in different countries based on the victim’s keyboard layout.

The RAT works in multiple layers that hosted in cloud providers and spreading via malicious documents to exploit the well-known vulnerabilities to download the additional payload.

To evade the blacklisting, attackers using well-known cloud provides such as Google and additional provides such as Twitter and ImgBB.

“The JhoneRAT malware is divided into a couple of layers — each layer downloads a new payload on a cloud provider to get the final RAT developed in Python”

Focusing on Different cloud services

Threat actors leveraging 4 different cloud service providers instead of their own infrastructure that helps to evade the detection and make it harder to differentiate malicious and legitimate traffic.

Since the well-known cloud services provider using HTTPS that makes MITM is complicated and hard to detect the malicious activities for defenders.

According to Talos Research ” Even while using these services, the authors of this JhoneRAT went further and used different user-agent strings depending on the request, and even on the downloaders, the authors used other user-agent strings. “

Infect the Target via Weaponised Document

Cisco researchers identified some of the malicious Microsoft Office documents that spreading via spam email campaigns that tempt victims to open by claiming the document contains a piece of urgent information.

The malicious document contains a Macro that gets executed once the victim opens the document by clicking the “Enable Editing”.

Several decoy document has been identified in the campaign, and the additional Office document containing a Macro which is downloaded and executed. The documents are located on Google Drive.

JhoneRAT
Malicious documents on Google Drive

Attackers following several infection stages to infect the victims using cloud services.

  1. Malicious template on Google Drive – The template located on Google Drive contains a macro. 
  2. Image file on Google Drive – Download the image file is a real image with a base64-encoded binary appended at the end.
  3. Autoit file – The decoded base64 data is an AutoIT binary. This binary downloads a new file on Google Drive.
  4. Python RAT using cloud providers – A final payload that drops remote access tool (RAT) written in Python.
JhoneRAT
screenshots are exfiltrated via the ImgBB

Researchers named the python RAT as JhoneRAT and the python code is wrapped into an executable using PyInsaller.

JhoneRAT also using 3 three commands:

  • Take a screenshot and upload it to ImgBB.
  • Download binary disguised has a picture from Google Drive and execute it.
  • Execute a command and send the output to Google Forms.

Using this Python RAT, Threat actors specifically targeting Middle Eastern and Arabic-speaking countries, Also they have implemented an anti-VM (and sandbox) and anti-analysis tricks to hide the malicious activities to the malware analyst. 

IOC’s

273aa20c4857d98cfa51ae52a1c21bf871c0f9cd0bf55d5e58caba5d1829846f
29886dbbe81ead9e9999281e62ecf95d07acb24b9b0906b28beb65a84e894091
d5f10a0b5c103100a3e74aa9014032c47aa8973b564b3ab03ae817744e74d0796cc0c11c754e1e82bca8572785c27a364a18b0822c07ad9aa2dc26b3817b8aa4
7e1121fca3ac7c2a447b61cda997f3a8202a36bf9bb08cca3402df95debafa69
b4a43b108989d1dde87e58f1fd6f81252ef6ae19d2a5e8cd76440135e0fd6366
4228a5719a75be2d6658758fc063bd07c1774b44c10b00b958434421616f1548

Website

Latest articles

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

GoPlus Labs, the leading Web3 security infrastructure provider, has unveiled a groundbreaking report highlighting...

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles