Jssloader

Malware Profile Updated 13 days ago
Download STIX
Preview STIX
JssLoader is a malware often used by the ransomware gang FIN7, also known as Sangria Tempest, Elbrus, Carbon Spider, and others. This malicious software is typically delivered through deceptive tactics such as email lures, including invoice- and payment-themed decoy messages that trick users into downloading SharePoint-hosted ZIP archive files. Once downloaded and executed, JssLoader provides the threat group with backdoor access to the victim’s computer and the organization's network. It is also capable of profiling infected machines and loading additional payloads, which can include downloaders, banking trojans, ransomware, and modular toolkits. The malware has been distributed primarily by a group known as Storm-0324 since 2019. This group has been noted for its unauthorized corporate network access, which it uses to distribute JssLoader before handing over the keys to FIN7. In July 2023, Microsoft observed Storm-0324 distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. The group's activities have enabled significant ransomware access. Specific incidents involving JssLoader include an employee at a law firm downloading and executing a variant of the malware due to a legal complaint lure in June 2021. Later in the same month, a ProofPoint researcher documented a Windows 11 lure used to deliver JssLoader. Both the weaponized Excel document and the subsequent JssLoader payload contacted domains registered on May 27th, a week prior to their in-the-wild use, indicating a careful and calculated deployment strategy.
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Microsoft
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Sangria TempestUnspecified
2
Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In m
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Jssloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm
MITRE
5 months ago
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
CERT-EU
8 months ago
Microsoft Warns of New Phishing Campaign Targeting Corporations via Teams Messages | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
8 months ago
Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks
CERT-EU
8 months ago
Microsoft warns about a new malware threat that's being distributed via Teams chats
InfoSecurity-magazine
8 months ago
New Microsoft Teams Phishing Campaign Targets Corporate Employees
CERT-EU
8 months ago
Microsoft Teams Hacks Are Back, As Storm-0324 Embraces TeamsPhisher
CERT-EU
8 months ago
In Other News: China Blames NSA for Hack, AI Jailbreaks, Netography Spin-Off
CERT-EU
8 months ago
Microsoft promises to act as Teams continues to get pummeled by phishing attacks