Cybercrime , Cybercrime as-a-service , Fraud Management & Cybercrime

Researchers Identify New Malware Loader Variant

Proofpoint: Cybercrime Group Spreading JSSLoader
Researchers Identify New Malware Loader Variant

The security firm Proofpoint says a cybercrime group that it calls "TA543" is deploying a new variant of a malware loader to target victims as part of a phishing campaign.

See Also: Check Kiting In The Digital Age

JSSLoader was first identified by Proofpoint researchers in 2019 as it was being spread by attackers as part of an email campaign. The malware was often dropped as a first- or second-stage malware to target victims. The strain had been inactive since May, Proofpoint says in a new report.

The malware apparently has make a comeback with some changes, which include being compiled in C++ programming language rather than .NET, researchers say.

"The campaigns are ongoing and use similar lures to those initially observed by Proofpoint researchers in 2019," typically focusing on invoices and package delivery information, the report notes.

The campaigns have attempted to target hundreds of organizations across a wide range of industries, including finance, manufacturing, technology, retail, healthcare, education and transportation, Proofpoint says.

Latest Campaign

The TA543 group's campaign using the new loader began on June 8 with the attackers sending malicious phishing emails that appear to come from United Parcel Service. The emails notified the victims that they have an undelivered parcel due to a wrong address. The links within these emails directed the victims to a landing page that contains a Windows Scripting File hosted on SharePoint.

"If executed, it downloaded an intermediate script, which then downloaded and executed the C++ version of JSSLoader," the report says.

Similar Campaigns

Proofpoint says attackers generally deploy new malware loader variants or tweak existing ones as a means to avoid detection.

For instance, a May report by Proofpoint uncovered a campaign that deployed a version of the Buer first-stage malware loader that was rewritten in the Rust programming language and was capable of exfiltrating sensitive information (see: Buer Dropper Malware Updated Using Rust).

A report by security firm Cisco Talos in March described how ransomware groups are deploying Trojan loaders as part of phishing campaigns (see: Ransomware-Wielding Gangs Love to Phish With Trojan Loaders).

Prior to this, Russian hacking group Turla deployed an IronPython-based malware loader called "IronNetInjector" as part of a new campaign, Palo Alto's Unit 42 reported (see: Russian Hacking Group Deploys IronPython Malware Loader).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.