Just to clarify, the subheading isn’t a normal quote, but a message that Janicab malware attempted to decode in its newest use of YouTube dead-drop resolvers (DDRs).
While hunting for less common Deathstalker intrusions that use the Janicab malware family, we identified a new Janicab variant used in targeting legal entities in the Middle East throughout 2020, possibly active during 2021 and potentially extending an extensive campaign that has been traced back to early 2015 and targeted legal, financial, and travel agencies in the Middle East and Europe.
Janicab was first introduced in 2013 as malware able to run on MacOS and Windows operating systems. The Windows version has a VBscript-based implant as the final stage instead of a C#/PowerShell combo as observed previously in Powersing samples. The VBS-based implant samples we have identified to date have a range of version numbers, meaning it is still in development. Overall, Janicab shows the same functionalities as its counterpart malware families, but instead of downloading several tools later in the intrusion lifecycle as was the case with EVILNUM and Powersing intrusions, the analyzed samples have most of the tools embedded and obfuscated within the dropper.
Interestingly, the threat actor continues to use YouTube, Google+, and WordPress web services as DDRs. However, some of the YouTube links observed are unlisted and go back to 2015, indicating a possible infrastructure reuse.
Law firms and financial institutions continue to be most affected by Deathstalker. However, in the intrusions analyzed recently, we suspect that travel agencies are a new ve ..
Support the originator by clicking the read the rest link below.
