JSSLoader Description

JSSLoader is an initial-stage malware threat tasked with profiling the breached systems and deploying additional malicious payloads in the attack chain. The threat was first discovered by infosec researchers back in 2019 and since then it has undergone rapid development. In fact, the latest versions of JSSLoader show that the threat has been rewritten from its original .NET to the C++ programming language completely. While this is not unheard of, recreating an entire malware threat into a new language is still extremely uncommon. It is more than likely that the cybercriminals did so to improve the chances of evading current detections. 

Evidence suggests that JSSLoader is being deployed by a small number of threat actors. More specifically, researchers state that they have detected two hacker groups using the threat, one of which is the TA543 APT (Advanced Persistent Threat) group. The new C++ versions of JSSLoader were found as part of a new threatening campaign carried out by the group. The series of attacks target a wide range of organizations operating in a diverse set of industry sectors - healthcare, retails, manufacturing, finance, education, transportation and technology.

The attacks carry the same characteristics as the threatening operations involving JSSLoader from back in 2019. Thousands of bait emails carrying corrupted links are distributed to potential victims. The emails typically spoof invoices and delivery information from popular companies. The lure messages from the latest operations are designed to mimic the ones sent by UPS. The link inside the email leads to a page hosting Keitaro TDS. It then proceeds to download a Windows Scripting File (WSF) that is hosted on SharePoint. Upon its execution, the WSF fetches a middle-stage script that finally downloads and loads the C++ version of JSSLoader onto the compromised system.