CISO2CISO.COM & CYBER SECURITY GROUP

Threat Intel – Threat Intelligence JSSLoader – the shellcode edition

This white paper was authored by Hasherezade and the Malwarebytes Threat Intelligence team
The Malwarebytes Threat Intelligence team observed a malspam campaign in late June that we attribute to the FIN7 APT group. One of the samples was also reported on Twitter by Josh Trombley; during execution, it was observed to drop a secondary payload, written in .NET.
Details about FIN7 campaigns were described i.e. by Mandiant in the article “FIN7 Power Hour: Adversary
Archeology and the Evolution of FIN7″. Earlier this year Morphisec and Secureworks described a new
component used by this group, delivered in XLL format. That element was the first step in the attack chain
leading to another malware, dubbed JSSLoader.
During our analysis, we found out that the current malware used by FIN7 is yet another rewrite of JSSLoader with expanded capabilities as well as new functions that include data exfiltration. In this white paper, we will focus on the implementation details of the new observed sample, and provide a deep dive in the code, as well as compare it with earlier samples analyzed by other vendors.

Leave a Reply

Your email address will not be published.