JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan (Apr 25, 2019)
Various phishing campaigns were observed to be targeting specific European countries in order to install the banking trojan "Gootkit" through a new loader called "JasperLoader," according to Cisco Talos researchers. Each campaign was written in the specific language of the targeted country, specifically German and Italian, with lures such as payment invoices that were signed by a legitimate certified email service provider, "Posta Elettronica Certificata (PEC)." The attachment is either a ZIP file or a Word document that requests macros to be enabled. If the file is unzipped, and contents executed, or macros are enabled, JasperLoader is dropped onto the device and executed. JasperLoader checks the geolocation of the infected computer to ensure it is not in Belarus, China, Russia, or Ukraine, and then achieves persistence via the Startup folder. Once it establishes a connection to the Command and Control (C2) server, it then installs the banking trojan, Gootkit.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Additionally, maintain policies regarding what kind of requests and information your employees can expect to receive from colleagues and management to assist in identifying possible impersonation. Anti-spam and antivirus applications provided from trusted vendors should also be employed.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.