Italian Flag
  • JasperLoader is back, improved, better hidden, and more persistent that it was a couple of weeks back.
  • The malware is excluding Chinese, Russian, Ukrainian, and Belarusians, while it will also not run in virtual boxes.
  • The decoy documents are in Italian, and currently, various themes are used.

The JasperLoader malware loader is a problem that is here to stay, plaguing European countries with banking trojans, and constituting a key link in the chain of infection that malicious actors set up in their various campaigns. Researchers from Cisco Talos have discovered a new version of the JasperLoader tool that came after a couple of weeks of inactivity, as its developers were busy working on it. The latest version features several improvements over the previous one, concerning the delivery mechanisms, the functionality, the obfuscation, the geolocation filtering, the sandbox detection, and the persistence mechanisms.

jasperloader message
image source: blog.talosintelligence.com

Starting with the delivery, it still occurs via email, using certified Italian email services. What changes now is that there are no attachments on the message, but rather a hyperlink. The URL takes the visitor to a redirection trip to either the payload downloader or end up in the “Chinese Internet Network Information Center”. The latter only happens when the geolocation filter saves the day, and this is the case for people who use one of the following system languages: Chinese, Russian, Ukraine, Belarus. This says something about the origin of the creators of JasperLoader. When the researchers used an Italian IP, the malware was fully activated.

jasperloader decoy document
image source: blog.talosintelligence.com

The additional layers of obfuscation make the infection by the malware better hidden, and are now achieved through character replacement and runtime calculations that reconstruct PowerShell instructions on the fly. As for the detection of the appropriate environment, JasperLoader is now checking whether it’s running inside KVM, VirtualBox, or Vmware, and stops the infection process if it finds that it does. Finally, as far as the persistence improvements are concerned, JasperLoader is not only creating a shortcut in the Startup folder of Windows like before but also creates a Scheduler Task as well, ensuring that it will get relaunched periodically no matter what.

So, JasperLoader became smarter, more powerful, better hidden, and more persistent. The only thing that this means is that people should be even more careful when receiving unsolicited email messages. Don’t click on hyperlinks just to see what’s there, and don’t open documents with macros enabled. Finally, keep your system and all of your applications (especially your AV solution) up to date.

Have you received any unsolicited messages in Italian during the past week? Can you share the document with us? Comment in the section down below, and help us spread the word of warning by sharing this post through our socials, on Facebook and Twitter.