Jssloader

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

JssLoader is a malware often used by the ransomware gang FIN7, also known as Sangria Tempest, Elbrus, Carbon Spider, and others. This malicious software is typically delivered through deceptive tactics such as email lures, including invoice- and payment-themed decoy messages that trick users into downloading SharePoint-hosted ZIP archive files. Once downloaded and executed, JssLoader provides the threat group with backdoor access to the victim’s computer and the organization's network. It is also capable of profiling infected machines and loading additional payloads, which can include downloaders, banking trojans, ransomware, and modular toolkits. The malware has been distributed primarily by a group known as Storm-0324 since 2019. This group has been noted for its unauthorized corporate network access, which it uses to distribute JssLoader before handing over the keys to FIN7. In July 2023, Microsoft observed Storm-0324 distributing payloads using an open-source tool to send phishing lures through Microsoft Teams chats. The group's activities have enabled significant ransomware access. Specific incidents involving JssLoader include an employee at a law firm downloading and executing a variant of the malware due to a legal complaint lure in June 2021. Later in the same month, a ProofPoint researcher documented a Windows 11 lure used to deliver JssLoader. Both the weaponized Excel document and the subsequent JssLoader payload contacted domains registered on May 27th, a week prior to their in-the-wild use, indicating a careful and calculated deployment strategy.

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Microsoft

Ransomware

Malware

Windows

Phishing

Decoy

PowerShell

Backdoor

Malware Loader

RaaS

Payload

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Dridex	Unspecified	1	Dridex is a well-known malware, specifically a banking Trojan, that has been utilized by cybercriminals to exploit and damage computer systems. The malware infiltrates systems through dubious downloads, emails, or websites, often unbeknownst to the user, and can steal personal information, disrupt o

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Sangria Tempest	Unspecified	2	Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In m
FIN7	Unspecified	1	FIN7, a notorious threat actor group known for its malicious activities, has recently been identified as targeting a large U.S. carmaker with phishing attacks. This group, which has previously operated behind fake cybersecurity companies such as Combi Security and Bastion Secure to recruit security
Gandcrab	Unspecified	1	GandCrab, a threat actor, is known for its malicious activities involving ransomware attacks. Originating from Russian origins and evolving from Team Truniger, a former GandCrab affiliate, the group has been linked to numerous ransomware variants including Bad Rabbit, LockBit 2.0, STOP/DJVU, and REv
Carbon Spider	Unspecified	1	CARBON SPIDER, also known as FIN7 and Sangria Tempest, is a threat actor that has been active in the eCrime space since approximately 2013. This criminally motivated group primarily targets the hospitality and retail sectors with the aim of obtaining payment card data. The group has been linked to s
Cobalt Group	Unspecified	1	The Cobalt Group is a significant threat actor known for its financially-motivated cybercrime activities. This group, along with the Russian state-sponsored hacking group APT28, was responsible for almost half of all cybersecurity incidents in 2023, according to TechRadar. The Cobalt Group's modus o

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Jssloader Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	7 months ago	FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
CERT-EU	10 months ago	Microsoft promises to act as Teams continues to get pummeled by phishing attacks
CERT-EU	10 months ago	Microsoft Teams Hacks Are Back, As Storm-0324 Embraces TeamsPhisher
CERT-EU	10 months ago	Microsoft Warns of New Phishing Campaign Targeting Corporations via Teams Messages \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
InfoSecurity-magazine	10 months ago	New Microsoft Teams Phishing Campaign Targets Corporate Employees
CERT-EU	10 months ago	Microsoft warns about a new malware threat that's being distributed via Teams chats
CERT-EU	10 months ago	In Other News: China Blames NSA for Hack, AI Jailbreaks, Netography Spin-Off
MITRE	a year ago	Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm
CERT-EU	10 months ago	Storm-0324 Exploits MS Teams Chats to Facilitate Ransomware Attacks