A cybercrime group tracked as TA543 is deploying a new variant of a malware loader dubbed JSSLOADER to target victims as part of a phishing campaign. The malware is often dropped as a first or second stage malware to target victims this include the malware being complied in C++ programming language earlier was in .Net

The TA543’s campaign using the new loader began on June 8 with the attackers sending malicious phishing emails that appear to come from the United Parcel Service. The emails notified the victims that they have an undelivered parcel due to a wrong address. The links within these emails then directed the victims to a landing page that contains a Windows Scripting File hosted on SharePoint. If executed, it downloaded an intermediate script, which then downloaded and executed the C++ version of JSSLoader

Similar Campaign

Proofpoint says attackers generally deploy new malware loader variants or tweak the existing ones as means to avoid detection.

Proofpoint uncovered a campaign that deployed a version of the Buer first-stage malware loader that was rewritten in the Rust programming language which was capable of exfiltrating sensitive information.

A report by security firm Cisco Talos in March described how ransomware groups are deploying Trojan loaders to as part of phishing campaigns

Russian hacking group Turla deployed an IronPython-based malware loader called “IronNetInjector” as part of a new campaign, Palo Alto’s Unit42 reported