Researchers at Cisco Talos have revealed a new remote access Trojan that is targeting specific nations in the Middle East and North Africa (MENA) region. Dubbed “JhoneRAT,” the malicious software is coded in Python and has been found in the following countries: Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon. As stated in Talos’ blog post, JhoneRAT seeks to gather sensitive data and then upload it to multiple cloud services, including Google Drive, Twitter, ImgBB and Google Forms. Random access Trojans typically target Windows users, which is the case here, but Mac users are not immune.
JhoneRAT is transmitted via a malicious document and its goal, according to Cisco Talos, is to “gather information on the victim’s machine.” As to how it functions, Cisco Talos describes that in more detail below:
Everything starts with a malicious document using a well-known vulnerability to download a malicious document hosted on the internet. For this campaign, the attacker chose to use a cloud provider (Google) with a good reputation to avoid URL blacklisting. The malware is divided into a couple of layers — each layer downloads a new payload on a cloud provider to get the final RAT developed in Python and that uses additional providers such as Twitter and ImgBB.
There are multiple documents that have been found in the campaign so far. The first document is a docx file that releases its payload once the victim enables editing via thinking that doing so will let them see the document contents. In the case of the second docx document used in the JhoneRAT campaign, users are supposedly being given names and passwords of leaked Facebook accounts. The final and most recent document blurs its contents and, as the first document, requests for enabled editing to see the contents.
While it seems like common sense to avoid getting infected by the JhoneRAT remote access Trojan, it is proving to be a threat in the MENA region. As of this article’s writing, the unidentified threat actor is still assumed to be active. The Twitter account they utilized has been suspended and the API key for Google Drive has been revoked. This particular RAT proves just how effective only one person can be with a malicious software when deployed en masse.
Featured image: Pexels