Researchers Identify New Malware Loader Variant

A cybercrime group tracked as TA543 by security firm Proofpoint is deploying a new variant of a malware loader to target victims as part of a phishing campaign, the company reports.

See Also: Live Panel | Zero Trusts Given- Harnessing the Value of the Strategy

JSSLoader was first identified by Proofpoint researchers in 2019 after it was being spread by attackers as part of an email campaign. The malware is often dropped as a first or second stage malware to target victims, however, this strain had remained inactive since May this year, the report says.

With the identification of the new JSSLoader, the researchers note the strain has appeared to make a comeback with some changes, which include the malware being complied in C++ programming language.

“This version of the malware loader was rewritten from .NET to the C++ programming language,” the report says. “The campaigns are ongoing and use similar lures to those initially observed by Proofpoint researchers in 2019,” typically focusing on invoices and package delivery information.

The report further notes the campaigns have attempted to target hundreds of organizations across a wide range of industries, including finance, manufacturing, technology, retail, healthcare, education and transportation.

Latest Campaign

The TA543’s campaign using the new loader began on June 8 with the attackers sending malicious phishing emails that appear to come from the United Parcel Service. The emails notified the victims that they have an undelivered parcel due to a wrong address. The links within these emails then directed the victims to a landing page that contains a Windows Scripting File hosted on SharePoint.

“If executed, it downloaded an intermediate script, which then downloaded and executed the C++ version of JSSLoader,” the report says.

Similar Campaigns

Proofpoint says attackers generally deploy new malware loader variants or tweak the existing ones as means to avoid detection.

For instance, a May report by Proofpoint uncovered a campaign that deployed a version of the Buer first-stage malware loader that was rewritten in the Rust programming language which was capable of exfiltrating sensitive information (see: Buer Dropper Malware Updated Using Rust).

A report by security firm Cisco Talos in March described how ransomware groups are deploying Trojan loaders to as part of phishing campaigns (see: Ransomware-Wielding Gangs Love to Phish With Trojan Loaders).

Prior to this, Russian hacking group Turla deployed an IronPython-based malware loader called “IronNetInjector” as part of a new campaign, Palo Alto’s Unit42 reported (see: Russian Hacking Group Deploys IronPython Malware Loader).