JasperLoader Trojan

JasperLoader is a modular downloader trojan primarily targeting financial and government organisations throughout Western Europe.

Older JasperLoader campaigns used ZIP file attachments containing malicious DOCM or VBS files as a delivery vector. However, newer variants use hyperlinks embedded into EML files distributed in spam campaigns. These links direct to a file server, where a ZIP file similar to earlier campaigns is downloaded and automatically extracted. Extensive geofencing is used to ensure only target country IP addresses reach the file server, displaying a HTTP 302 temporary site relocation message if this is not the case. The extracted DOCM or VBS files are then executed to download and install JasperLoader, whilst displaying a PDF file to the user.

Once installed, JasperLoader will check the system language and uninstall itself if the following languages are detected; Belarusian, Mandarin, Romanian, Russian or Ukrainian.

It will also verify it is not running in a virtual environment before connecting to a command and control (C2) server. Persistence is maintained through the use of scheduled tasks and Windows shortcuts (LNK files) within the Startup folder. JasperLoader will then install any secondary payloads, primarily GootKit, sent from the C2 server.

Indicators of Compromise

Domains

A list of domains observed to be associated with JasperLoader are below.

  • breed.wanttobea.com
  • zzi.aircargox.com
  • nono.littlebodiesbigsouls.com
  • tribunaledinapoli.recsinc.com
  • tribunaledinapoli.prepperpillbox.com
  • tribunaledinapoli.lowellunderwood.com
  • tribunaledinapoli.rntman.com

IP addresses

A list of IP addresses observed to be associated with JasperLoader are below.

  • 185.158.251.171
  • 185.158.249.116

Hashes

A list of file hashes (SHA256) observed to be associated with JasperLoader are below.

  • 052c9895383eb10e4ad5bec37822f624e443bbe01700b1fe5abeeea757456aed
  • 54666103a3c8221cf3d7d39035b638f3c3bcc233e1916b015aeee2539f38f719
  • ee3601c6e111c42d02c83b58b4fc70265b937e9d4d153203a4111f51a8a08aab

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: