Security researchers from Cisco Talos recently discovered a new version of remote access trojan (RAT), which attacks a victim’s device via malicious Microsoft Office documents. The RAT malware, tracked as “JhoneRAT”, was developed using Python and targeted a set of Middle East countries by checking keyboard layouts of the infected devices.
The researchers identified three malicious MS Office documents that were used to infect the device. The first document “Urgent.docx”, discovered in November 2019, asks the victim to enable English and Arabic-language editing. The second document named “fb.docx”, discovered in January 2020, claims to contain data on leaked Facebook accounts from 2019. The third document, found at the end of January 2020, contains blurred content and is alleged to be from a legitimate United Arab Emirates organization.
How JhoneRAT Works
Attackers trick the victims to click and download a malicious document from the internet. The malware then gets divided into multiple layers and each layer downloads a new malware payload. Once JhoneRAT is deployed, it gathers information from the victim’s cloud services like Google Drive, Twitter, ImgBB, and Google Forms.
Countries Attacked
According to the researchers, JhoneRAT targeted UAE, Saudi Arabia, Iraq, Libya, Algeria, Egypt, Morocco, Tunisia, Oman, Yemen, Syria, Kuwait, Bahrain, and Lebanon.
How to Prevent JhoneRAT
Hackers try to lure their victims into opening malicious documents by labeling it as “Urgent.docx” or “fb.docx” or other strange image files. It’s advised to avoid clicking such file extensions from unknown sources.
“The fact that this attacker decided to leverage cloud services and four different services—and not their own infrastructure—is smart from an opsec point of view. It is hard for the targets to identify legitimate and malicious traffic to cloud provider infrastructure. Moreover, this kind of infrastructure uses HTTPS and the flow is encrypted that makes man-in-the-middle interception more complicated for the defender. It is not the first time an attacker used only cloud providers,” the researchers said.
