Malspam campaign with signed emails distributes Gootkit trojan via JasperLoader

• This malspam campaign primary targets Central Europe with a focus on Italy and Germany.
• In these campaigns, attackers use legitimate certified email services such as Posta Elettronica Certificata (PEC) used in Italy, Switzerland and Hong Kong to send signed emails.

What is the issue - Researchers from Cisco Talos observed a new malspam campaign with signed emails that distribute the Gootkit banking trojan via the multi-stage malware downloader called JasperLoader.

Why it matters - This malspam campaign primary targets Central Europe with a focus on Italy and Germany.

The big picture

Cisco Talos researchers noted that these malicious campaigns included legitimate looking malicious file attachments or ZIP files that contain JS and XML files disguised as PDF invoices.

• These malicious files once downloaded, install and execute the JSLoader malware onto victims’ computer.
• The JasperLoader contain either a Visual Basic for Applications (VBS) script or DOCM documents with VBA macros to initiate the malicious payload download process.
• Additionally, JasperLoader checks its geolocation and if the compromised machine is from Russia, Ukraine, Belarus, or the People's Republic of China, then it terminates itself.
• The malware loader gains persistence by adding an LNK shortcut to itself to the infected system’s Startup folder in order to get launched each time the machine is rebooted.
• JaspeLoader then allows the attackers to update the loader in order to run Powershell-based arbitrary system commands and download the final Gootkit malware payload.

“JasperLoader employs a multi-stage infection process that features several obfuscation techniques that make analysis more difficult. It appears that this loader was designed with resiliency and flexibility in mind, as evidenced in later stages of the infection process,” researchers wrote in a blog.

Worth noting - In these campaigns, attackers use legitimate certified email services such as Posta Elettronica Certificata (PEC) used in Italy, Switzerland and Hong Kong to send signed emails.

Signing malspam emails will add legitimacy to the emails and convince targets to open malicious emails.

“In this case, abusing a legitimate email service allowed them to deliver their malicious emails in a way that would maximize the likelihood that a potential victim would open the attachments and infect themselves with JasperLoader,” researchers concluded.