Jssloader

Malware updated 23 days ago (2024-11-29T13:36:35.292Z)
Download STIX
Preview STIX
JssLoader is a malware often used by the ransomware gang FIN7, also known as Sangria Tempest, Elbrus, Carbon Spider, and others. This malicious software is typically delivered through deceptive tactics such as email lures, including invoice- and payment-themed decoy messages that trick users into downloading SharePoint-hosted ZIP archive files. Once downloaded and executed, JssLoader provides the threat group with backdoor access to the victim’s computer and the organization's network. It is also capable of profiling infected machines and loading additional payloads, which can include downloaders, banking trojans, ransomware, and modular toolkits. The malware has been distributed primarily by a group known as Storm-0324 since 2019. This group has been noted for its unauthorized corporate network access, which it uses to distribute JssLoader before handing over the keys to FIN7. In July 2023, Microsoft observed Storm-0324 distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. The group's activities have enabled significant ransomware access. Specific incidents involving JssLoader include an employee at a law firm downloading and executing a variant of the malware due to a legal complaint lure in June 2021. Later in the same month, a ProofPoint researcher documented a Windows 11 lure used to deliver JssLoader. Both the weaponized Excel document and the subsequent JssLoader payload contacted domains registered on May 27th, a week prior to their in-the-wild use, indicating a careful and calculated deployment strategy.
Description last updated: 2024-05-04T18:08:00.021Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Malware
Ransomware
Microsoft
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sangria Tempest Threat Actor is associated with Jssloader. Sangria Tempest, also known as Carbon Spider, Elbrus, and FIN7, is a threat actor that has been active since 2013. In mid-November 2023, Microsoft observed Sangria Tempest using Storm-1113's EugenLoader delivered through malicious MSIX package installations. The group frequently targets the restauraUnspecified
2