Malicious Campaign Analysis: JScript RAT and CobaltStrike

June 7, 2024, 9:37 a.m.

Tags
obfuscation
rat
encryption
cobaltstrike
2024-06-07
jscript
jscript rat
External References
Description

This report examines a recent malicious campaign involving a JScript-based Remote Access Trojan (RAT) and its connections to the CobaltStrike penetration testing tool. The attack commences with an obfuscated JScript loader distributed through suspected phishing campaigns. Upon execution, it contacts a command and control (C&C) server to retrieve a second-stage loader. This loader employs WinHttpRequest and RC4 encryption to obtain the main RAT component, a JScript-based malware that maintains persistent communication with the C&C for receiving additional instructions. The report provides technical analysis of the malware components and speculates on potential connections to simulated attacks or threat actor testing based on observed IP ranges.

Date

Published: June 7, 2024, 8:59 a.m.

Created: June 7, 2024, 8:59 a.m.

Modified: June 7, 2024, 9:37 a.m.

Indicators

c1f3e0ac0304f947fdd617c3972f4388c13cd23639f486d530ab1b3a5d5f971f

b3c38e68a626f8f1e5893cd157b697a4b871153230f6658f0d34a8eba929cdbf

87852d6fdfe29086212810bf0f8e769bac46ad462cab145bf5543eab988c7d3b

76aa4f684481d2072ce85d80b14a2660bc912dcc47c787faad44cc21f01d7b9a

Attack Patterns

JScript RAT

T1053.005

T1059.001

T1059.007

T1071.001

T1105

T1219

T1140

T1027

T1059