Researchers Unveil Technical Details About FIN7’s JSSLoader

  • Researchers dive deeper into how FIN7’s JSSLoader actually works as the RAT continually evolves.
  • While malware toolsets are a moving target, methods, tactics, and oftentimes infrastructure remain unchanged.
  • Closely monitoring the activities of hacking groups is still crucially important for security.

Actual details about the JSSLoader component used by the “FIN7” threat group, also referred to as “Carbanak,” have remained elusive even though the white-hat research community knows about its existence for a while now. Morphisec has finally analyzed the minimized .NET RAT (remote access tool), leveraging an opportunity that arose from a failed attack last month, and they are now in a position to share more about how it exfiltrates data, how it establishes persistence, what commands it supports, how it does auto-updating, and more.

The compromise begins with a phishing message leading to the downloading of a VBScript. This is what fetches the JSSLoader and executes it through a scheduled task to add the element of the time delay. The Morphisec researchers report that this VBScript is very similar to what is used by ongoing QBOT campaigns.

According to the analysis of the latest JSSLoader samples, the tool is tracking the target by first generating a unique ID of the victim, which is a combination of the computer’s serial number, computer name, and domain name. The anti-debugging is pretty minimalistic, using TickCount timing checks.

Source: Morphisec

Passing to the exfiltration of information, the RAT collects the following data and encodes them with base64 before they are sent to a preconfigured URL:

  • Host name
  • Domain name
  • User name
  • Running processes
  • System information (patches)
  • Desktop files
  • AD information
  • Logical drives
  • Network information
Source: Morphisec

Being a RAT, it supports remote command execution too, which can be delivered to it via a ‘Get’ command right from the C2 domain. There are multiple execution options, like commands to execute a file, pop a form, execute PowerShell in memory, write a DLL, exfiltrate data, activate the auto-update functionality, or even uninstall the JSSLoader, delete its persistence mechanisms, and terminate all processes.

Source: Morphisec

FIN7 is making a real effort to keep the JSSLoader component up to date and ever-evolving, and what is described above is the result of a long-term endeavor to develop the tool.

That said, while malware is indeed a moving target, adversaries like FIN7 are still following a set of tactics that don’t change much. So threats that derive from that group - and any group, for that matter - can always be fingerprinted and closely tracked.

Latest
How to Watch Shooting Stars Online from Anywhere
The Basketball legend and his old team used to be young men with big dreams entering the basketball world. But they endured...
How to Watch With Love Season 2 Online from Anywhere
It looks like With Love Season 2 is promising fans romance, drama, and loads of surprises for the Diaz family, starting with...
How to Watch Britain’s Got Talent 2023 Online Free: Live Stream BGT Season 16 From Anywhere
Britain's Got Talent returns in 2023 with a brand new awesome season, and you’ll be able to stream the show online from...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari