Jssloader

JssLoader is a malware often used by the ransomware gang FIN7, also known as Sangria Tempest, Elbrus, Carbon Spider, and others. This malicious software is typically delivered through deceptive tactics such as email lures, including invoice- and payment-themed decoy messages that trick users into downloading SharePoint-hosted ZIP archive files. Once downloaded and executed, JssLoader provides the threat group with backdoor access to the victim’s computer and the organization's network. It is also capable of profiling infected machines and loading additional payloads, which can include downloaders, banking trojans, ransomware, and modular toolkits. The malware has been distributed primarily by a group known as Storm-0324 since 2019. This group has been noted for its unauthorized corporate network access, which it uses to distribute JssLoader before handing over the keys to FIN7. In July 2023, Microsoft observed Storm-0324 distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. The group's activities have enabled significant ransomware access. Specific incidents involving JssLoader include an employee at a law firm downloading and executing a variant of the malware due to a legal complaint lure in June 2021. Later in the same month, a ProofPoint researcher documented a Windows 11 lure used to deliver JssLoader. Both the weaponized Excel document and the subsequent JssLoader payload contacted domains registered on May 27th, a week prior to their in-the-wild use, indicating a careful and calculated deployment strategy.