Fresh details about a malware variant called JSSLoader that the FIN7 hacking group has been keep evolving now

FIN7 is suspected of using JSSLoader during several campaigns, details about the malware have been elusive. During a failed attack in December, recovered a version of this remote access Trojan, which is written in the .NET programming language.

Though JSSLoader is well known as a minimized .NET RAT, not many details have been publicly available with respect to various capabilities such as exfiltration, persistence, auto-update, malware downloading .

FIN7 is a financially motivated hacking group that is believed to operate from Eastern Europe and is known to use spear-phishing attacks to target victims. The group also changes its techniques regularly to avoid detection.

The attack starts with a phishing email that downloads a VBScript, according to the report.A second VBScript is then downloaded into the infected device’s memory, which then attempts to download and install the main JSSLoader payload.

The in-memory script downloads and writes a .NET module on disk, then executes the module through a scheduled task with a newly introduced timeout delay to bypass attack chain monitoring.

JSSLoader functions as a RAT and seeks to collect information about the compromised device, including hostname, domain name, username, running processes, and system information such as patches, desktop files, Active Directory information, logical drives and network information. JSSLoader connects to a command-and-control server hosted by a company called “FranTech Solutions” that’s been used by the FIN7 group.

Any data collected by the JSSLoader RAT is then collected and encrypted with a base64 algorithm before it’s sent to the hackers. The malware creates a unique identification for each compromised device that is a combination of the device’s serial number, name and domain name.

JSSLoader can also carry out a series of commands, including executing a PowerShell script in memory, writing a Dynamic Link Library file and executing a function that will uninstall the malware and terminate all other functions.The Trojan also can launch a Cobalt Strike beacon.