JasperLoader is a modular downloader trojan primarily targeting financial and government organisations throughout Western Europe.
Older JasperLoader campaigns used ZIP file attachments containing malicious DOCM or VBS files as a delivery vector. However, newer variants use hyperlinks embedded into EML files distributed in spam campaigns. These links direct to a file server, where a ZIP file similar to earlier campaigns is downloaded and automatically extracted. Extensive geofencing is used to ensure only target country IP addresses reach the file server, displaying a HTTP 302 temporary site relocation message if this is not the case. The extracted DOCM or VBS files are then executed to download and install JasperLoader, whilst displaying a PDF file to the user.
Once installed, JasperLoader will check the system language and uninstall itself if the following languages are detected; Belarusian, Mandarin, Romanian, Russian or Ukrainian.
It will also verify it is not running in a virtual environment before connecting to a command and control (C2) server. Persistence is maintained through the use of scheduled tasks and Windows shortcuts (LNK files) within the Startup folder. JasperLoader will then install any secondary payloads, primarily GootKit, sent from the C2 server.
Indicators of Compromise
A list of domains observed to be associated with JasperLoader are below.
A list of IP addresses observed to be associated with JasperLoader are below.
A list of file hashes (SHA256) observed to be associated with JasperLoader are below.