New JSSLoader Variant is Being Spread by TA543 Group
A cybercrime group tracked as TA543 by security firm Proofpoint is deploying a new variant of a malware loader to target victims as part of a phishing campaign, the company reports.
JSSLoader was first identified by Proofpoint researchers in 2019 after it was being spread by attackers as part of an email campaign. The malware is often dropped as a first or second stage malware to target victims, however, this strain had remained inactive since May this year, the report says.
With the identification of the new JSSLoader, the researchers note the strain has appeared to make a comeback with some changes, which include the malware being complied in C++ programming language.
“This version of the malware loader was rewritten from .NET to the C++ programming language,” the report says. “The campaigns are ongoing and use similar lures to those initially observed by Proofpoint researchers in 2019,” typically focusing on invoices and package delivery information.
The report further notes the campaigns have attempted to target hundreds of organizations across a wide range of industries, including finance, manufacturing, technology, retail, healthcare, education and transportation.
The TA543’s campaign using the new loader began on June 8 with the attackers sending malicious phishing emails that appear to come from the United Parcel Service. The emails notified the victims that they have an undelivered parcel due to a wrong address. The links within these emails then directed the victims to a landing page that contains a Windows Scripting File hosted on SharePoint.
“If executed, it downloaded an intermediate script, which then downloaded and executed the C++ version of JSSLoader,” the report says.