fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malicious Microsoft Excel A dd-ins used to deliver RAT malware

Malicious Microsoft Excel A dd-ins used to deliver RAT malware

Researchers report a new version of the JSSLoader remote access trojan being distributed malicious Microsoft Excel addins.

The particular RAT (remote access trojan) has been circulated in the wild since December 2020, linked to the financially-motivated Russian hacking group FIN7, also known as “Carbanak.”

JSSLoader is a small, lightweight RAT that can perform data exfiltration, establish persistence, fetch and load additional payloads, auto-update itself, and more.

Excel add-ins

The latest campaign involving a stealthier new version of JSSLoader was observed by threat analysts at Morphisec Labs, who say the delivery mechanism is currently phishing emails with XLL or XLM attachments.

Abuse of Excel XLL add-ins isn’t new, as they are commonly used for legitimate purposes, such as importing data into a worksheet or extending the functionality of Excel.

In the ongoing campaign, however, the threat actors use an unsigned file, so Excel will show the victim a clear warning about the risks of executing it.

Also Read: How Does Ransomware Work? Examples and Defense Tips

Warning about unsigned XLL file
Security warning about unsigned XLL file
​​​​​​​(Morphisec)

When enabled, the XLL files use malicious code inside an xlAutoOpen function to load itself into memory and then download the payload from a remote server and execute it as a new process via an API call.

Malware loading and execution flow
Malware loading and execution flow (Morphisec)

More sophisticated obfuscation

The threat actor regularly refreshes the User-Agent on the XLL files to evade EDRs that consolidate detection information from the entire network.

Also Read: How to Choose the Best Penetration Testing Vendor

Changing the User-Agent on each XLL sample
Changing the User-Agent on each XLL sample (Morphisec)

Compared to older versions, the new JSSLoader has the same execution flow, but it now comes with a new layer of string obfuscation that includes renaming all functions and variables.

String obfuscation added on the new version
String obfuscation added on the new JSSLoader (Morphisec)

To evade detection from string-based YARA rules used by defenders, the new RAT has split the strings into sub-strings and concatenates them at runtime.

Strings comparison between new and old versions
Strings comparison between new and old versions (Morphisec)

Finally, the string decoding mechanism is simple so as to leave a minimal footprint and reduce the chances of being detected by static threat scanners.

Morphisec reports that these new additions combined with the XLL file delivery are enough to prevent detection from next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions challenging or even implausible.

This enables FIN7 to move in the compromised network undeterred for several days or weeks before the defenders load matching signatures on tools that complement AI-based detection solutions.

FIN7 is a resourceful threat group that has previously delivered malware-laced USBs alongside teddy bear gifts, attempted to hire network penetration experts by posing as a legitimate security firm, and sent ransomware-carrying USBs via post mail.

The new and stealthier version of JSSLoader is only one part of their arsenal, helping them hide in networks for longer without being detected and stopped.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us