Malicious Campaign Analysis: JScript RAT and CobaltStrike
June 7, 2024, 9:37 a.m.
Tags
External References
Description
This report examines a recent malicious campaign involving a JScript-based Remote Access Trojan (RAT) and its connections to the CobaltStrike penetration testing tool. The attack commences with an obfuscated JScript loader distributed through suspected phishing campaigns. Upon execution, it contacts a command and control (C&C) server to retrieve a second-stage loader. This loader employs WinHttpRequest and RC4 encryption to obtain the main RAT component, a JScript-based malware that maintains persistent communication with the C&C for receiving additional instructions. The report provides technical analysis of the malware components and speculates on potential connections to simulated attacks or threat actor testing based on observed IP ranges.
Date
Published: June 7, 2024, 8:59 a.m.
Created: June 7, 2024, 8:59 a.m.
Modified: June 7, 2024, 9:37 a.m.
Indicators
c1f3e0ac0304f947fdd617c3972f4388c13cd23639f486d530ab1b3a5d5f971f
b3c38e68a626f8f1e5893cd157b697a4b871153230f6658f0d34a8eba929cdbf
87852d6fdfe29086212810bf0f8e769bac46ad462cab145bf5543eab988c7d3b
76aa4f684481d2072ce85d80b14a2660bc912dcc47c787faad44cc21f01d7b9a
Attack Patterns
JScript RAT
T1053.005
T1059.001
T1059.007
T1071.001
T1105
T1219
T1140
T1027
T1059