Reworked JSSLoader Delivers the Carbanak Trojan
Refactoring code is a popular technique that software developers use to, in layman's terms, modify the internal structure of their program without changing its behavior at all. Malware developers also employ such techniques to enhance their projects in various manners. One of the projects that recently underwent such a change is the JSSLoader Trojan. However, instead of simply optimizing the code a bit, the criminals behind the JSSLoader opted to rewrite it using another programming language. While the original JSSLoader Trojan was written in .NET, the variant released in June 2021 is based on C++.
Why Was the JSSLoader Rewritten?
One of the advantages of switching malware to an entirely different programming language is that it may render current security markers and detections useless. This is likely to have been the primary goal of JSSLoader's developers – to evade firewall and antivirus software with the launch of the new variant. Of course, you can rest assured that reputable antivirus tools have received the necessary updates to ensure that the new JSSLoader does not get a chance to cause damage.
Cybersecurity experts state that JSSLoader's new variant does not feature any improvements in terms of functionality. The malware, however, is being distributed through new email spam campaigns and additional tricks. The group behind this operation is tracked under the alias TA543, and their current campaign goes after hundreds of organizations operating in various sectors – healthcare, retail, technology, finance, and others.
The Purpose of the 2021 JSSLoader
Just like other Trojan Loaders, this one also does not do much on its own. It needs to be paired with an additional malware family – the goal of the JSSLoader is to ensure that extra payloads are loaded seamlessly without raising any red flags. The malware families that the C++ variant of the JSSLoader Trojan uses may vary, but they seem to be very similar to the arsenal of the FIN7 hacking group. For example, some of JSSLoader's active copies were seen delivering a variant of the Carbanak banking Trojan.
Malware developers are constantly trying to stay one step ahead of antivirus product vendors, and JSSLoader's complete structural change is one such attempt. Following the best safe Web browsing practices and applying regular updates to your antivirus software should be enough to mitigate attacks like the one described above.