upnorth

Moderator
Verified
Staff member
Malware Hunter
This new RAT is dropped to the victims via malicious Microsoft Office documents. The dropper, along with the Python RAT, attempts to gather information on the victim's machine and then uses multiple cloud services: Google Drive, Twitter, ImgBB and Google Forms. The RAT attempts to download additional payloads and upload the information gathered during the reconnaissance phase. This particular RAT attempts to target a very specific set of Arabic-speaking countries. The filtering is performed by checking the keyboard layout of the infected systems. Based on the analysed sample, JhoneRAT targets Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.

What's new? The campaign shows an actor that developed a homemade RAT that works in multiple layers hosted on cloud providers. JhoneRAT is developed in Python but not based on public source code, as it is often the case for this type of malware. The attackers put great effort to carefully select the targets located in specific countries based on the victim's keyboard layout.

How did it work? Everything starts with a malicious document using a well-known vulnerability to download a malicious document hosted on the internet. For this campaign, the attacker chose to use a cloud provider (Google) with a good reputation to avoid URL blacklisting. The malware is divided into a couple of layers — each layer downloads a new payload on a cloud provider to get the final RAT developed in Python and that uses additional providers such as Twitter and ImgBB.

So what? This RAT is a good example of how a highly focused attack that tries to blend its network traffic into the crowd can be highly effective. In this campaign, focusing detection of the network is not the best approach. Instead, the detection must be based on the behaviour on the operating system. Attackers can abuse well-known cloud providers and abuse their reputations in order to avoid detection.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
There is a typing error in the article. The malware uses a macro to access WMI (via GetObject method), but not WMIC (command-line interface to WMI ). So, you cannot block it without blocking WMI.
This can be done for example by applying Windows Defender ASR rule "Block process creations originating from PSExec and WMI commands".
Anyway, it is not clear if blocking WMI commands could stop this malware, because it uses WMI only to detect a virtual machine. Blocking WMI will not give the attacker information that a virtual machine is present, so the malware can continue the infection chain (or not, depending on the attacker). Furthermore, the malware uses other methods to detect a virtual machine.
 
Last edited:

Sampei Nihira

Level 6
Verified
There is a typing error in the article. The malware uses a macro to access WMI (via GetObject method), but not WMIC (command-line interface to WMI ). So, you cannot block it without blocking WMI.
This can be done for example by applying Windows Defender ASR rule "Block process creations originating from PSExec and WMI commands".
Anyway, it is not clear if blocking WMI commands could stop this malware, because it uses WMI only to detect a virtual machine. Blocking WMI will not give the attacker information that a virtual machine is present, so the malware can continue the infection chain (or not, depending on the attacker). Furthermore, the malware uses other methods to detect a virtual machine.


Blocking is also possible with OSA.
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
I wanted to show that there is this possibility.
Yes, there is one of the several methods of interacting with WMI. OSA can prevent some of these methods by blocking scripts, blocking/restricting script engines, blocking macros in popular document viewers/editors, applying the user custom rules for executable, etc.
This can be very efficient prevention.

The malware from the article can be neutralized by the OSA anti-exploit prevention (for MS Office Word) that can block macros. The initial weaponized document triggers downloading/opening the second document with a macro. The macro downloads a JPG picture with an embedded binary payload, etc.
Of course, the malware can be also neutralized if the user sets Word to block macros without notifications (or does not allow macros).
 
Last edited:

Sampei Nihira

Level 6
Verified
Yes, there is one of the several methods of interacting with WMI. OSA can prevent some of these methods by blocking scripts, blocking/restricting script engines, blocking macros in popular document viewers/editors, applying the user custom rules for executable, etc.
This can be very efficient prevention.

The malware from the article can be neutralized by the OSA anti-exploit prevention (for MS Office Word) that can block macros. The initial weaponized document triggers downloading/opening the second document with a macro. The macro downloads a JPG picture with an embedded binary payload, etc.
Of course, the malware can be also neutralized if the user sets Word to block macros without notifications (or does not allow macros).

Certainly OSA is a protection software that guarantees a multilevel intervention.
The ability to write custom block rules, like the one I entered above, increases of value even more.
 

Sampei Nihira

Level 6
Verified
does anyone know what this setting does in malwarebytes for wmi?
View attachment 232439

Protection for Office WMI abuse: Protects against Microsoft Office macro exploits that use Windows Management Instrumentation (WMI).


P.S.
With these my interventions, I would not go too OT.
So sometimes I am rather reluctant to continue the discussion.

@Andy Ful

What do you say?
 

Andy Ful

Level 63
Verified
Trusted
Content Creator
Protection for Office WMI abuse: Protects against Microsoft Office macro exploits that use Windows Management Instrumentation (WMI).
...
@Andy Ful

What do you say?
Most probably it can block macros to interact with WMI (including GetOject method and blocking WMI tools via monitoring child processes). But, I am not sure if all possible methods are covered. I never tested MBAE.

Home users should avoid MS Office, because it has many usable & convenient (but vulnerable) features. Sadly, many users have to use it because of the compatibility with documents in professional work.
 

Antus67

Level 9
Verified
Researchers say that JhoneRAT has various anti-detection techniques – including making use of Google Drive, Google Forms and Twitter.

Researchers are warning of a new remote access trojan (RAT), dubbed JhoneRAT, which is being distributed as part of an active campaign, ongoing since November 2019, that targets victims in the Middle East. Once downloaded, the RAT gathers information on the victims’ computers and is also able to download additional payloads.
Evidence shows that the attackers behind JhoneRAT have taken extra steps to ensure the RAT is being distributed to Arabic-speaking victims. Researchers note that the attackers have also made use of various cloud services, such as Google Drive and Google Forms, as part of the payload’s infection process.
“The campaign shows an actor that developed a homemade RAT that works in multiple layers hosted on cloud providers,” said researchers with Cisco Talos in a Thursday analysis. “JhoneRAT is developed in Python but not based on public source code, as it is often the case for this type of malware. The attackers put great effort to carefully select the targets located in specific countries based on the victim’s keyboard layout.”
 
Top