Researchers Identify New Malware Loader VariantProofpoint: Cybercrime Group Spreading JSSLoader
The security firm Proofpoint says a cybercrime group that it calls "TA543" is deploying a new variant of a malware loader to target victims as part of a phishing campaign.
JSSLoader was first identified by Proofpoint researchers in 2019 as it was being spread by attackers as part of an email campaign. The malware was often dropped as a first- or second-stage malware to target victims. The strain had been inactive since May, Proofpoint says in a new report.
The malware apparently has make a comeback with some changes, which include being compiled in C++ programming language rather than .NET, researchers say.
"The campaigns are ongoing and use similar lures to those initially observed by Proofpoint researchers in 2019," typically focusing on invoices and package delivery information, the report notes.
The campaigns have attempted to target hundreds of organizations across a wide range of industries, including finance, manufacturing, technology, retail, healthcare, education and transportation, Proofpoint says.
The TA543 group's campaign using the new loader began on June 8 with the attackers sending malicious phishing emails that appear to come from United Parcel Service. The emails notified the victims that they have an undelivered parcel due to a wrong address. The links within these emails directed the victims to a landing page that contains a Windows Scripting File hosted on SharePoint.
"If executed, it downloaded an intermediate script, which then downloaded and executed the C++ version of JSSLoader," the report says.
Proofpoint says attackers generally deploy new malware loader variants or tweak existing ones as a means to avoid detection.
For instance, a May report by Proofpoint uncovered a campaign that deployed a version of the Buer first-stage malware loader that was rewritten in the Rust programming language and was capable of exfiltrating sensitive information (see: Buer Dropper Malware Updated Using Rust).
A report by security firm Cisco Talos in March described how ransomware groups are deploying Trojan loaders as part of phishing campaigns (see: Ransomware-Wielding Gangs Love to Phish With Trojan Loaders).
Prior to this, Russian hacking group Turla deployed an IronPython-based malware loader called "IronNetInjector" as part of a new campaign, Palo Alto's Unit 42 reported (see: Russian Hacking Group Deploys IronPython Malware Loader).