Threat actors leverage a multi-stage malware loader tracked as JasperLoader in the
The JasperLoader was observed while distributing malware to targets from Central Europe, most of them in Italy and Germany.
“Specifically, we’re tracking a loader known as “JasperLoader,” which has been increasingly active over the past few months and is currently being distributed via malicious spam campaigns primarily targeting central European countries with a particular focus on Germany and Italy.” reads the analysis published by Cisco Talos. “
The JasperLoader loader uses a multi-stage infection process that implements several obfuscation techniques to avoid detection. According to Cisco Talos experts, the JasperLoader loader was designed with resiliency and flexibility in mind.
The malspam campaigns detected by Cisco Talos that hit European countries use weaponized attachments containing either a Visual Basic for Applications (VBS) script or a DOCM documents with VBA macros.
Talos experts also noticed spam messages containing malicious JS downloaders.
The campaigns that targeted Italian users leverage legitimate certified email services such as Posta Elettronica Certificata (PEC).
“The choice to abuse certified email services such as PEC demonstrates that as attackers are always looking for new ways to lend credibility to their social engineering attacks.” continues Cisco Talos.
“In this case, abusing a legitimate email service allowed them to deliver their malicious emails in a way that would maximize the likelihood that a potential victim would open the attachments and infect themselves with JasperLoader. “
The JasperLoader malware loader is used by threat actors to check targets geolocation and determine if a machine is in one of the countries targeted in the malspam campaign (i.e. Russia, Ukraine, Belarus, or People’s Republic of China).
Experts observed that the malware gains persistence by adding an LNK shortcut to itself to the Startup folder, in this way every time the system is rebooted the malware will be launched.
The JasperLoader is used by threat actors to update the loader, to run Powershell scripts, and, of course, to deliver the final Gootkit malware payload.
Further technical details, such as Indicators of compromise (IOCs), are included in the analysis published by Talos.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.