JhoneRAT exploits cloud services to attack Middle Eastern countries

Google Drive, Twitter, ImgBB and Google Forms are being abused in the name of data theft.
Written by Charlie Osborne, Contributing Writer

A new Trojan on the scene is selectively attacking targets in the Middle East by checking keyboard layouts and attempts to avoid blacklisting by abusing cloud services. 

On Thursday, cybersecurity researchers from Cisco Talos said that the Remote Access Trojan (RAT), dubbed JhoneRAT, is actively spreading through Microsoft Office documents containing malicious macros. 

The first of the documents identified through phishing campaigns, named "Urgent.docx," asks the recipient to enable editing in English and Arabic. The second, "fb.docx," claims to contain data on a Facebook information leak, and the third pretends to be from a legitimate United Arab Emirate organization. 

See also: Lazarus pivots to Linux attacks through Dacls Trojan

In each case, if editing is enabled, an additional Office document is loaded and executed which contains a malicious macro. 

These documents are hosted through Google Drive "to avoid URL blacklisting," the team says. 

JhoneRAT is written in Python and is dropped through Google Drive, which hosts images with a base64-encoded binary appended at the end. These images, once loaded onto a machine susceptible to infection, will deploy the Trojan, which immediately begins harvesting information from the victim's machine including type, disk serial numbers, the operating system in use, and more. 

When communicating with its command-and-control server (C2) in order to exfiltrate information, commands are checked via a public Twitter feed every 10 seconds. The handle @jhone87438316 was originally used but this account has now been suspended. 

"These commands can be issued to a specific victim based on the UID generated on each target (by using the disk serial and contextual information such as the hostname, the antivirus and the OS) or to all of them," the researchers say. 

CNET: FBI will start notifying states when hackers hit local elections

The actual theft of data, however, is made through cloud providers ImgBB and both Google Drive and Forms. Screenshots are uploaded to ImgBB, binaries are downloaded from Drive, and commands are executed with output sent to Forms. 

An interesting facet of the malware is how targets are selected. Filtering has been implemented based on a victim's keyboard layout, and the malware will only execute against those in Arabic-speaking countries. 

Cisco Talos says that JhoneRAT targets Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon. 

"This campaign started in November 2019 and it is still ongoing," the researchers say. "At this time, the API key is revoked and the Twitter account is suspended. However, the attacker can easily create new accounts and update the malicious files in order to still work."

TechRepublic: These subject lines are the most clicked for phishing

Anther unusual Trojan under review by threat researchers at present is Faketoken. Faketoken began its journey as a form of bolt-on malware used by traditional desktop Trojans to intercept verification codes sent to mobile devices when victims attempted to login to online accounts and has since evolved into a standalone financial threat. 

Recently, a Faketoken campaign demonstrated odd behavior -- the hijack of mobile device messaging facilities to send offensive text messages

Cybersecurity researchers are at a loss as to why, with the exception being many recipients are abroad -- and therefore the SMS messages could be generating revenue through expensive messages being sent to these numbers.

10 worst hacks and data breaches of 2019 (in pictures)

Previous and related coverage

Editorial standards