Pierluigi Paganini April 28, 2019

Experts observed several malspam campaigns using signed emails to deliver the GootKit banking Trojan (aka talalpek or Xswkit).

Threat actors leverage a multi-stage malware loader tracked as JasperLoader in the malspam campaigns over the past few months.

The JasperLoader was observed while distributing malware to targets from Central Europe, most of them in Italy and Germany.

The Gootkit banking Trojan was previously distributed by DanaBot, Neutrino exploit kit, and Emotet.

“Specifically, we’re tracking a loader known as “JasperLoader,” which has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries with a particular focus on Germany and Italy.” reads the analysis published by Cisco Talos. “JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult.”

The JasperLoader loader uses a multi-stage infection process that implements several obfuscation techniques to avoid detection. According to Cisco Talos experts, the JasperLoader loader was designed with resiliency and flexibility in mind.

The malspam campaigns detected by Cisco Talos that hit European countries use weaponized attachments containing either a Visual Basic for Applications (VBS) script or a DOCM documents with VBA macros.

Talos experts also noticed spam messages containing malicious JS downloaders.

The latest malspam campaigns observed by Talos use message signing to confirm the authenticity of the sender.

“Talos has identified several malicious campaigns making use of this type of message signing as a way to lend credibility to their messages and maximize the likelihood that potential victims will open the malicious attachments.” continues the analysis of the researchers.

The campaigns that targeted Italian users leverage legitimate certified email services such as Posta Elettronica Certificata (PEC).

“The choice to abuse certified email services such as PEC demonstrates that as attackers are always looking for new ways to lend credibility to their social engineering attacks.” continues Cisco Talos.

“In this case, abusing a legitimate email service allowed them to deliver their malicious emails in a way that would maximize the likelihood that a potential victim would open the attachments and infect themselves with JasperLoader. “

The JasperLoader malware loader is used by threat actors to check targets geolocation and determine if a machine is in one of the countries targeted in the malspam campaign (i.e. Russia, Ukraine, Belarus, or People’s Republic of China).

Experts observed that the malware gains persistence by adding an LNK shortcut to itself to the Startup folder, in this way every time the system is rebooted the malware will be launched.

The JasperLoader is used by threat actors to update the loader, to run Powershell scripts, and, of course, to deliver the final Gootkit malware payload.

Further technical details, such as Indicators of compromise (IOCs), are included in the analysis published by Talos.

Pierluigi Paganini

(SecurityAffairs – malspam campaigns, JasperLoader)

[adrotate banner=”5″]

[adrotate banner=”13″]