A new Trojan named JhoneRAT appeared in the threat landscape, it is selectively attacking targets in the Middle East by checking keyboard layouts.
The malware targets a very specific set of Arabic-speaking countries, including Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon.
“Today, Cisco Talos is unveiling the details of a new RAT we have
The experts discovered that the RAT is distributed via weaponized Office documents, it leverages multiple cloud services (i.e. Google Drive, Twitter, ImgBB and Google Forms) to avoid detection.
The JhoneRAT is written in Python, it attempts to download additional payloads and upload the information gathered during the reconnaissance phase.
The second document named “fb.docx” is dated January and claims to contain data on a Facebook information leak. The third document found in the mid-January pretends to be from a legitimate United Arab Emirate organization.
The additional Office documents loaded and executed by the JhoneRAT are hosted through Google Drive in the attempt to avoid URL blacklisting.
The malware used Twitter as C2 while
When communicating with its command-and-control server (C2) in order to
“This RAT uses three different cloud services to perform all its command and control (C2) activities. It checks for new commands in the tweets from the handle @jhone87438316 (suspended by Twitter) every 10 seconds using the BeautifulSoup HTML parser to identify new tweets.” continues the analysis. “These commands can be issued to a specific victim based on the UID generated on each target (by using the disk serial and contextual information such as the hostname, the antivirus and the OS) or to all of them.”
Experts pointed out that stolen data are
“The attacker put a couple of tricks in place to avoid execution on virtual machines (sandbox). The first trick is the check of the serial number of the disk. The actor used the same technique in the macro and in the JhoneRAT. By default, most of the virtual machines do not have a serial number on the disk.” continues the analysis.
“The attacker used a second trick to avoid analysis of the Python code. The actor used the same trick that FireEye in the Flare-On 6: Challenge 7: They removed the header of the Python bytecode.”
According to the experts, the campaign is still ongoing, even if the Twitter account is suspended, attackers can easily create new accounts and use them in the same way.
“This campaign shows a threat actor interested in specific Middle Eastern and Arabic-speaking countries. It also shows us an actor that puts effort in
The analysis published by Talos contains additional technical details, including Indicators of Compromise.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.