Hackers targeting Arabic-speaking countries with malicious Microsoft Office documents

Security researchers with Cisco's Talos Security Intelligence and Research Group discovered a new type of malware, which is able to attack a victim's devices through malicious Microsoft Office documents.

The malware is a Remote Access Trojan, also known as a RAT, that Talos analysts Warren Mercer, Paul Rascagneres, Vitor Ventura, and Eric Kuhla named "JhoneRAT" because it checks for new commands in the tweets from the handle @jhone87438316. The handle was suspended by Twitter, but JhoneRAT looks for new commands every 10 seconds using and HTML parser to identify new tweets.

In a blog post and an email interview, Rascagneres and the Talos team explained that this malware has been used specifically to target people and systems in Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon.

"We don't know why specifically these countries, the attackers simply hardcoded these countries in the malware. The attackers had complete control of the compromised systems. The purpose of the campaigns were cyber espionage," Rascagneres said.

SEE: Internet and email usage policy (TechRepublic Premium)

Cyberattackers have used JhoneRAT since November and little has changed in their tactics since then, according to Rascagneres.

How JhoneRAT works

When JhoneRAT is deployed, it tries to gather information on the victim's machine and then uses multiple cloud services like Google Drive, Twitter, ImgBB, and Google Forms before attempting to download more payloads and upload any information gathered during the reconnaissance phase.

Talos researchers could tell from the code that JhoneRAT was developed using Python and that the people behind it specifically targeted each country "based on the victim's keyboard layout."

"Everything starts with a malicious document using a well-known vulnerability to download a malicious document hosted on the internet. For this campaign, the attacker chose to use a cloud provider (Google) with a good reputation to avoid URL blacklisting. The malware is divided into a couple of layers - each layer downloads a new payload on a cloud provider to get the final RAT developed in Python and that uses additional providers such as Twitter and ImgBB," Talos researchers wrote in their blog post.

"This RAT is a good example of how a highly focused attack that tries to blend its network traffic into the crowd can be highly effective. In this campaign, focusing detection of the network is not the best approach. Instead, the detection must be based on the behaviour on the operating system. Attackers can abuse well-known cloud providers and abuse their reputations in order to avoid detection," the blog continued.

SEE: 10 ways to minimize fileless malware infections (free PDF) (TechRepublic)

How to protect yourself from a RAT

Attackers are able to lure their victims into opening the documents by labelling it "Urgent.docx" or "fb.docx" as well as other strange image files. Despite the API key being revoked, and the Twitter account being suspended, the attacker can still deploy the RAT with new accounts.

In their blog post, the Talos researchers noted that the people behind the attack used anti-VM and anti-analysis tricks to hide their actions, which reinforces the need for security systems that could do more than just network-based detection

"Concerning the campaign, everything starts with a malicious Office document. We recommend not opening documents from unknown senders. Additionally, the users should be careful when Office asks to enable Macro ("Enable Content" button). We recommend to not enable them, and we recommend the companies to enforce this policy. Endpoint protection is also important for detection for these campaigns," Rascagneres added.

"In these campaigns, the attackers used cloud providers, that's why network protection and detection is not efficient. It demonstrates that endpoint protection is mandatory in addition to the other detection mechanisms that the companies are already put in place."

Also see