Cybersecurity researchers have disclosed that dangerous Microsoft Excel add-ins are being deployed with a new variant of the JSSLoader remote access trojan (RAT). This trojan has been associated with the financially-motivated Russian hacker gang FIN7, aka ‘Carbanak.’ JSSLoader is a compact, lightweight RAT that can exfiltrate data, establish persistence, retrieve and load new payloads, and auto-update itself, among other things. Threat experts at Morphisec Labs discovered the newest campaign employing a stealthier new version of JSSLoader, which says the distribution mechanism is presently phishing emails with XLL or XLM attachments. Misuse of Excel XLL add-ins is not new because they are often used for legal purposes, such as importing data into a spreadsheet or increasing Excel’s capabilities.
However, because the threat actors are using an unsigned file in the current campaign, Excel will display a clear warning to the victim about the dangers of running it. When activated, the XLL files load malicious code into memory through an xlAutoOpen method, then download the payload from a remote server and run it as a new process via an API call.
To avoid EDRs that combine detection information from across the network, the threat actor regularly updates the User-Agent on the XLL files. The new JSSLoader has the same execution flow as previous versions, but it also contains a new layer of text obfuscation that involves renaming all functions and variables. The latest RAT splits strings into sub-strings and concatenates them during runtime to avoid detection by defenders using string-based YARA rules. Finally, the string decoding method is simple to leave a small footprint and avoid detection by static threat scanners.
According to Morphisec, these additional features, together with the XLL file delivery, make detection by next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions difficult, if not impossible. This allows FIN7 to roam undetected in the infiltrated network for days or weeks before defenders load matching signatures on tools that supplement AI-based detection systems.
FIN7 is a sophisticated threat organization that has previously given malware-laced USBs with teddy bear gifts, pretended to be a reputable security business to engage network penetration specialists, and distributed ransomware-carrying USBs by postal mail. The new and stealthier version of JSSLoader is only one tool in their armory, allowing them to remain undetected in networks for extended periods.