Researchers Unveil Technical Details About FIN7’s JSSLoader

  • Researchers dive deeper into how FIN7’s JSSLoader actually works as the RAT continually evolves.
  • While malware toolsets are a moving target, methods, tactics, and oftentimes infrastructure remain unchanged.
  • Closely monitoring the activities of hacking groups is still crucially important for security.

Actual details about the JSSLoader component used by the “FIN7” threat group, also referred to as “Carbanak,” have remained elusive even though the white-hat research community knows about its existence for a while now. Morphisec has finally analyzed the minimized .NET RAT (remote access tool), leveraging an opportunity that arose from a failed attack last month, and they are now in a position to share more about how it exfiltrates data, how it establishes persistence, what commands it supports, how it does auto-updating, and more.

The compromise begins with a phishing message leading to the downloading of a VBScript. This is what fetches the JSSLoader and executes it through a scheduled task to add the element of the time delay. The Morphisec researchers report that this VBScript is very similar to what is used by ongoing QBOT campaigns.

According to the analysis of the latest JSSLoader samples, the tool is tracking the target by first generating a unique ID of the victim, which is a combination of the computer’s serial number, computer name, and domain name. The anti-debugging is pretty minimalistic, using TickCount timing checks.

Source: Morphisec

Passing to the exfiltration of information, the RAT collects the following data and encodes them with base64 before they are sent to a preconfigured URL:

  • Host name
  • Domain name
  • User name
  • Running processes
  • System information (patches)
  • Desktop files
  • AD information
  • Logical drives
  • Network information
Source: Morphisec

Being a RAT, it supports remote command execution too, which can be delivered to it via a ‘Get’ command right from the C2 domain. There are multiple execution options, like commands to execute a file, pop a form, execute PowerShell in memory, write a DLL, exfiltrate data, activate the auto-update functionality, or even uninstall the JSSLoader, delete its persistence mechanisms, and terminate all processes.

Source: Morphisec

FIN7 is making a real effort to keep the JSSLoader component up to date and ever-evolving, and what is described above is the result of a long-term endeavor to develop the tool.

That said, while malware is indeed a moving target, adversaries like FIN7 are still following a set of tactics that don’t change much. So threats that derive from that group - and any group, for that matter - can always be fingerprinted and closely tracked.

Latest
How to Watch Grammys 2023 Online: Live Stream the Awards from Anywhere
The 2023 Grammys are around the corner, and you will find the date, time, performers, presenters, host, nominees, and everything else you...
Italy vs. France Live Stream: How to Watch Six Nations 2023 Online from Anywhere
Excitement among spectators has reached new heights as the Six Nations Rugby Championship 2023 draws near. France, the reigning champs, will get...
How to Watch ‘Murf the Surf: Jewels, Jesus, and Mayhem in the USA’ Online from Anywhere
Murf the Surf is a 2023 true-crime docuseries that pulls back the curtain on America's most infamous jewel thief, Jack Roland Murphy....
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari