Researchers Disclose Details of FIN7 Hacking Group's MalwareReport Dissects JSSLoader Remote Access Trojan
Researchers at Morphisec Labs have published fresh details about a malware variant called JSSLoader that the FIN7 hacking group has used for several years.
Although FIN7 is suspected of using JSSLoader during several campaigns, details about the malware have been elusive. During a failed attack in December, however, the Morphisec researchers recovered a version of this remote access Trojan, which is written in the .NET programming language.
"Though JSSLoader is well known as a minimized .NET RAT, not many details have been publicly available with respect to various capabilities such as exfiltration, persistence, auto-update, malware downloading and more," the researchers note in their analysis. "Furthermore, in the many occasions where JSSLoader is mentioned, there are few details on the complete attack chain."
FIN7 is a financially motivated hacking group that is believed to operate from Eastern Europe and is known to use spear-phishing attacks to target victims. The group also changes its techniques regularly to avoid detection, according to security researchers who have studied the group (see: The Art of the Steal: FIN7's Highly Effective Phishing).
In the U.S., the hacking group allegedly stole more than 15 million customer payment card records from more than 6,500 point-of-sale terminals at about 3,600 business locations, according to the U.S. Department of Justice, which charged three of the group's members with federal crimes in 2018.
After the unsuccessful attack in December, the Morphisec researchers examined how FIN7 uses JSSLoader as part of its campaigns. The attack starts with a phishing email that downloads a VBScript, according to the report.
A second VBScript is then downloaded into the infected device's memory, which then attempts to download and install the main JSSLoader payload, the report notes.
"The in-memory script downloads and writes a .NET module (JSSLoader) on disk, then executes the module through a scheduled task with a newly introduced timeout delay to bypass attack chain monitoring," according to the Morphisec researchers.
The report also notes that the use of VBScript to launch the attack is similar to how the Qbot banking Trojan has been spreading over the last several months, including being used as a dropper for secondary malware such as ransomware (see: Qbot Banking Trojan Now Deploying Egregor Ransomware).
JSSLoader functions as a RAT and seeks to collect information about the compromised device, including hostname, domain name, username, running processes, and system information such as patches, desktop files, Active Directory information, logical drives and network information, according to the report.
The researchers also note that JSSLoader connects to a command-and-control server hosted by a company called "FranTech Solutions" that's been used by the FIN7 group.
Any data collected by the JSSLoader RAT is then collected and encrypted with a base64 algorithm before it's sent to the hackers. The report also notes that the malware creates a unique identification for each compromised device that is a combination of the device's serial number, name and domain name.
JSSLoader can also carry out a series of commands, including executing a PowerShell script in memory, writing a Dynamic Link Library file and executing a function that will uninstall the malware and terminate all other functions, according to the report. The Trojan also can launch a Cobalt Strike beacon.
While the Morphisec report does not name the victim of the FIN7 attack that led to uncovering the JSSLoader RAT, the hacking group has targeted the hospitality industry to steal payment card data (see: Accused Ringleader of FIN7 Hacking Group Pleads Guilty ).