JSS Loader Threat Report: What is JSS Loader Malware and How Does it Work?

The JSS Loader is a remote access Trojan that was first detected in 2020 by [FIN7]. It affects the Windows operating system and has the ability to download and execute malicious files. It is typically delivered through phishing emails containing malicious Microsoft Excel attachments.

JSS Loader Malware Capabilities:

The JSS Loader may use various tools and techniques to gain execution on a victim system, including the Windows Task Scheduler, transferring files from an external system, and sending spearphishing emails with a malicious attachment. Once execution is gained, the JSS Loader may abuse JavaScript, PowerShell, and Visual Basic for a variety of purposes.

• The JSS Loader may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. Additionally, the JSS Loader may transfer tools or other files from an external system into a compromised environment, and may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems.
• The JSS Loader may use various files that require execution by the user, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl. It may also abuse JavaScript and PowerShell commands and scripts for execution. This may lead to the disclosure of information or execution of code on the user's system.

Ways to Mitigate JSS Loader Malware Attacks Capabilities

• The JSS Loader malware attacks can be mitigated by monitoring process execution, file creation, and files transferred into the network. Network intrusion detection systems and email gateways can be used to detect spearphishing with malicious attachments in transit.
• The JSS Loader malware attack can be mitigated by monitoring the execution of and command-line arguments for applications that may be used by an adversary to gain initial access that require user interaction. This includes compression applications, such as those for zip files, that can be used to deobfuscate or decode files or information in payloads. Additionally, monitor for events associated with scripting execution, such as process activity, usage of the Windows Script Host, file activity involving scripts, or loading of modules associated with scripting languages.
• If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity.