- Jul 22, 2014
- 2,525
Multiple malicious spam campaigns using signed emails have been observed while distributing the GootKit (aka talalpek or Xswkit) banking Trojan with the help of a multi-stage malware loader dubbed JasperLoader over the past few months.
This loader is the third one detected by Cisco Talos' research team since July 2018, with Smoke Loader (aka Dofoil) being employed by threat actors to drop ransomware or cryptocurrency miner payloads last year, while Brushaloader was identified during early 2019 and seen while making use of Living-of-the-Land (LotL) tools such as PowerShell scripts to remain undetected on compromised systems.
Malware loaders are popular tools for adversaries who want to make the job of dropping various malware payloads onto to their victims' machines easier because they make it possible to maximize their profits by switching the pushed malware to one suited to the infected computer.
The current loader tracked by Cisco Talos is JasperLoader and its activity has been picking up during the past months, with malspam campaign operators distributing it to targets from Central Europe, with an apparent focus on Italian and German targets.
...
...
What makes some of these malspam campaigns very dangerous is the fact that the attackers use legitimate certified email services such as Posta Elettronica Certificata (PEC) used in Italy, Switzerland and Hong Kong to send signed emails "to maximize the likelihood that they can convince potential victims to open their malicious emails."
...
...
VT ..some 36/63
E.g
Some still 12/62
19/62, 20/62
This loader is the third one detected by Cisco Talos' research team since July 2018, with Smoke Loader (aka Dofoil) being employed by threat actors to drop ransomware or cryptocurrency miner payloads last year, while Brushaloader was identified during early 2019 and seen while making use of Living-of-the-Land (LotL) tools such as PowerShell scripts to remain undetected on compromised systems.
Malware loaders are popular tools for adversaries who want to make the job of dropping various malware payloads onto to their victims' machines easier because they make it possible to maximize their profits by switching the pushed malware to one suited to the infected computer.
The current loader tracked by Cisco Talos is JasperLoader and its activity has been picking up during the past months, with malspam campaign operators distributing it to targets from Central Europe, with an apparent focus on Italian and German targets.
...
...
What makes some of these malspam campaigns very dangerous is the fact that the attackers use legitimate certified email services such as Posta Elettronica Certificata (PEC) used in Italy, Switzerland and Hong Kong to send signed emails "to maximize the likelihood that they can convince potential victims to open their malicious emails."
...
...
VT ..some 36/63
E.g
Some still 12/62
