A self-made RAT has been created by cybercriminals that use several cloud providers and are currently targeting nations like KSA (Kingdom Saudi Arabia), Iraq, Egypt, Libya, Morocco, and Algeria.

Security researchers with Cisco’s Talos Security Intelligence and Research Group discovered a new type of malware, which can attack a victim’s device through malicious Microsoft Office documents.

The malware in question is a remote access Trojan, also known as RAT, that is named JhoneRAT by Talos analysts, Warren Mercer, Paul Rascagneres, Vitor Ventura, and Eric Kuhla as it checks for new commands in the tweets from the handle @jhone87438316. The handle stands suspended by Twitter, but JhoneRAT looks for new commands every 10 seconds using HTML parser and identifies fresh tweets.

The Tahlos and Rascagneres team explained that this malware is being used to specifically target the people of Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, UAE, Syria, Kuwait, Bahrain, and Lebanon

Rascagneres commented that they are unsure as to why the hackers would circle down on the countries mentioned above, but it seems they hardcoded these specific countries in the malware. The attackers had complete control over the compromised systems, and the only purpose of these attacks appears to be cyber espionage.

Cyberattackers have been using JhoneRAT since November, and a little has changed ever since.

How JhoneRAT Works?

When the attacker deploys JhoneRAT, it tries to gather as much information about the victim from cloud services like Google Drive, Twitter, ImgBB, and Google Forms before attempting to download several payloads and upload any information gathered during this reconnaissance phase.

Talos researchers have been capable of deriving the code that JhoneRAT was developed utilizing Python and that the individuals behind it are mainly focused on every nation, ‘based mostly on the sufferer’s keyboard format.’

How can you protect yourself?

Attackers are successfully able to lure their victims into opening documents by labeling it as ‘Urgent.docx’ or ‘fb.docx’ as well as other strange image files. Despite the API key being revoked, and the twitter handle account suspended, yet they are deploying the RAT with new accounts.

In their blog post, Talos researchers noted that the minds behind these attacks used anti-VM and anti-analysis tricks to cover their actions, which reinforces the need for security systems that could do more than just network-based detection.

The Talos researchers are warning everyone against opening documents from unknown senders as everything starts with a malicious office document. Additionally, users should be careful if Microsoft Office asks them to enable the Macro button. It is recommended that the user does not enable it, and companies should also be sticking to this policy. Endpoint detection is also essential for the detection of such malicious attacks.