Researchers Unveil Technical Details About FIN7’s JSSLoader

Written by Bill Toulas
Last updated June 23, 2021

Actual details about the JSSLoader component used by the “FIN7” threat group, also referred to as “Carbanak,” have remained elusive even though the white-hat research community knows about its existence for a while now. Morphisec has finally analyzed the minimized .NET RAT (remote access tool), leveraging an opportunity that arose from a failed attack last month, and they are now in a position to share more about how it exfiltrates data, how it establishes persistence, what commands it supports, how it does auto-updating, and more.

The compromise begins with a phishing message leading to the downloading of a VBScript. This is what fetches the JSSLoader and executes it through a scheduled task to add the element of the time delay. The Morphisec researchers report that this VBScript is very similar to what is used by ongoing QBOT campaigns.

According to the analysis of the latest JSSLoader samples, the tool is tracking the target by first generating a unique ID of the victim, which is a combination of the computer’s serial number, computer name, and domain name. The anti-debugging is pretty minimalistic, using TickCount timing checks.

Source: Morphisec

Passing to the exfiltration of information, the RAT collects the following data and encodes them with base64 before they are sent to a preconfigured URL:

Source: Morphisec

Being a RAT, it supports remote command execution too, which can be delivered to it via a ‘Get’ command right from the C2 domain. There are multiple execution options, like commands to execute a file, pop a form, execute PowerShell in memory, write a DLL, exfiltrate data, activate the auto-update functionality, or even uninstall the JSSLoader, delete its persistence mechanisms, and terminate all processes.

Source: Morphisec

FIN7 is making a real effort to keep the JSSLoader component up to date and ever-evolving, and what is described above is the result of a long-term endeavor to develop the tool.

That said, while malware is indeed a moving target, adversaries like FIN7 are still following a set of tactics that don’t change much. So threats that derive from that group - and any group, for that matter - can always be fingerprinted and closely tracked.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: