A new Trojan is selectively targeting the Middle East by checking keyboard layouts and avoids being blacklisted by abusing cloud services.
The security researchers from Cisco Talos said that the Remote Access Trojan (RAT) that has been dubbed JhoneRAT, is actively spreading through Microsoft Office documents containing malicious macros.
The first document which was identified through phishing campaigns was named “Urgent.docx,” and it demands the recipient to enable editing in English and Arabic. The second document, “fb.docx,” claims to contain data on a Facebook information leak, and the third acts to be from a legitimate United Arab Emirate organization.
When the editing is enabled in these documents, an additional Office document is loaded and executed which contains a malicious macro.
These documents are hosted through Google Drive “to avoid URL blacklisting.”
JhoneRAT is written in Python and is inserted through Google Drive, which hosts images with a base64-encoded binary appended at the end. When these images are loaded onto a machine susceptible to infection, it will deploy the Trojan, which immediately begins collecting information from the victim’s machine including type, disk serial numbers, the operating system in use, etc.
While communicating with its command-and-control server (C2) to get information, commands are checked via a public Twitter feed every 10 seconds. The handle @jhone87438316 was originally used, but this account has now been suspended.
The actual theft of data, is made through cloud providers ImgBB and both Google Drive and Forms. Screenshots are uploaded to ImgBB, binaries are downloaded from Drive, and commands are executed with output sent to Forms.
The targets are selected by filtering based on a victim’s keyboard layout, and the malware will only execute against those in Arabic-speaking countries.
Cisco Talos says that this campaign was started in November 2019 and it is still ongoing and it targets Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon.
Now the API key is revoked and the Twitter account is suspended. But it is possible for the attacker to easily create new accounts and update the malicious files in order to still work.