{
	"id": "03ff717b-cf5a-4ad9-a1ff-74bc64ae7fc4",
	"created_at": "2026-04-06T02:12:41.767234Z",
	"updated_at": "2026-04-10T03:22:03.529707Z",
	"deleted_at": null,
	"sha1_hash": "0d6411adbd2739963fdf958da17fa377064ccbf4",
	"title": "JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4878321,
	"plain_text": "JasperLoader Emerges, Targets Italy with Gootkit Banking Trojan\r\nBy Edmund Brumaghin\r\nPublished: 2019-04-25 · Archived: 2026-04-06 01:36:13 UTC\r\nNick Biasini and Edmund Brumaghin authored this blog post with contributions from Andrew Williams.\r\nIntroduction to JasperLoader\r\nMalware loaders are playing an increasingly important role in malware\r\ndistribution. They give adversaries the ability to gain an initial foothold on a\r\nsystem and are typically used to deliver various malware payloads following\r\nsuccessful compromise. These attacks are popping up more frequently, as we\r\ncovered in July with Smoke Loader and Brushaloader earlier this year. Loaders\r\nallow attackers to decide which malware to drop based on how they feel they can\r\nbest monetize the access they gained. While malware loaders are commonly seen\r\nwith email-based threats, they have also been prevalent within the exploit kit\r\nlandscape for years. Recently, Cisco Talos observed an increase in loader activity\r\nbeing used to deliver various malware to systems located in various European\r\ncountries.\r\nSpecifically, we're tracking a loader known as \"JasperLoader,\" which has been increasingly active over the past\r\nfew months and is currently being distributed via malicious spam campaigns primarily targeting central European\r\ncountries with a particular focus on Germany and Italy. JasperLoader employs a multi-stage infection process that\r\nfeatures several obfuscation techniques that make analysis more difficult. It appears that this loader was designed\r\nwith resiliency and flexibility in mind, as evidenced in later stages of the infection process.\r\nOver the past several months, we've seen several spam campaigns with signed emails attempting to infect victims\r\nwith JasperLoader and ultimately the Gootkit banking trojan. Message signing makes use of certificates'\r\nverification to confirm the authenticity of the person sending the email, as only those with access to the private\r\nkeys should be able to sign the message. Message signing is not the same as message encryption and is used only\r\nto validate the identity of the message sender not to guarantee the confidentiality of the message itself. Talos has\r\nidentified several malicious campaigns making use of this type of message signing as a way to lend credibility to\r\ntheir messages and maximize the likelihood that potential victims will open the malicious attachments.\r\nMalicious spam campaigns\r\nAs with many email-based threats, Talos observed multiple distinct campaigns\r\nbeing leveraged to distribute JasperLoader. Each campaign featured various email\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 1 of 23\n\ntemplates and downloader configurations. Each campaign was also relatively\r\nlocalized and featured multiple languages specific to each of the countries that\r\nwere being targeted. Most of the campaign activity targeted European countries\r\nwith a specific focus on Italy. However, we have identified campaigns targeting\r\ncountries outside of Europe. Below is an example of an email associated with one\r\nof the campaigns targeting Germany.\r\nFigure 1: Example email (German)\r\nThe email is fairly basic and includes an attached ZIP archive. The subject line \"Zahlungserinnerung\" roughly\r\ntranslates to \"Payment Reminder,\" which is a theme consistent with many of the malspam campaigns commonly\r\nobserved in the wild. This particular campaign leveraged a Visual Basic for Applications (VBS) script that was\r\nresponsible for initiating the JasperLoader infection process. We'll dive into the obfuscated script later. The\r\ncampaigns targeting Germany were some of the only ones that were observed using VBS files to initiate the\r\nJasperLoader infection. Most of the attacks generally used DOCM files to download JasperLoader, and ultimately\r\nGootkit.\r\nAs previously mentioned, most of the JasperLoader campaign activity that has been observed over the past few\r\nmonths has been targeting Italy. As can be seen in the screenshot below, these emails are significantly different\r\nthan those seen in the other campaigns. Rather than containing a malicious file attachment, these emails purport\r\nthat they are notifications associated with the receipt of a \"certified email\" and contain an attached EML file.\r\nThe threat actors distributing JasperLoader are leveraging a legitimate certified email service called Posta\r\nElettronica Certificata (PEC) to distribute these emails. This is a certified email service related to legislation\r\nrecently passed in Italy involving new requirements associated with electronic invoicing that took effect at the\r\nbeginning of 2019. This new legislation requires Italian businesses to use electronic invoicing to deliver invoices\r\nfor both business-to-business (B2B) and business-to-consumer (B2C) transactions. Attackers have recognized that\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 2 of 23\n\nthis is an attractive way to leverage an already trusted email service to maximize the likelihood that they can\r\nconvince potential victims to open their malicious emails.\r\nFigure 2: Example \"Certified\" email\r\nOne of the requirements associated with this new legislation is that all electronic invoicing emails must be signed\r\nand sent using a new platform called \"Sistema di Interscambio (SDI).\" Additionally, invoices should be sent using\r\na specific XML-based format for consumption and that format should be verified and its validity confirmed before\r\nbeing transmitted to the recipient of the invoice.\r\nAs you can see, this particular campaign is leveraging this service, which allows them to transmit messages that\r\nmeet the requirements associated with this new legislation and abuse the trust between potential victims and the\r\ncertified email service.\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 3 of 23\n\nFigure 3: Certificate details\r\nThe certificate itself is valid and associated with the PEC certified email service that was described above. Using\r\nthe PEC certified email service, organizations are allowed to send attachments of up to 30MB to recipients. Posta\r\nElettronica Certificata (PEC) is currently being widely used in Italy, Switzerland and Hong Kong and allows\r\npeople to send registered email messages. The idea behind this project is to allow anyone — whether living in the\r\ncountry or not — to communicate through official channels, while allowing for the verification of the authenticity\r\nof the message sender. This service enables the communication of official business-related information without\r\nrelying on physical mail services, facilitating faster real-time communications.\r\nFigure 4: Certificate properties\r\nThe campaigns observed to be leveraging the PEC service contained emails that claim to be notifications of the\r\nreceipt of a \"certified email message\" and featured EML attachments. The screenshot below shows what one of\r\nthese EML attachments looks like when opened by potential victims.\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 4 of 23\n\nFigure 5: Attached email message\r\nAs can be seen above, the attached EML files contain attached ZIP archives that hold Microsoft Word DOCM files\r\nthat reference the same invoice as the emails to which they were attached. The DOCM files contain malicious\r\nembedded VBA macros that initiate the JasperLoader infection process. The metadata associated with the DOCM\r\nfiles used across many of the campaigns have been observed containing the string value \"VPS2day\" in several of\r\nthe metadata fields.\r\nFigure 6: ZIP attachment contents\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 5 of 23\n\nFigure 7: Document properties\r\nTalos identified multiple unique malicious DOCM files associated with JasperLoader campaigns taking place over\r\nthe course of several weeks. An example search for files with metadata containing the string \"VPS2day\" resulted\r\nin 167 unique files in VirusTotal.\r\nFigure 8: Metadata search results\r\nIn addition to the campaigns using malicious DOCM files to distribute JasperLoader, we also observed messages\r\ncontaining malicious JS downloaders. There were also some campaigns that featured legitimate and malicious file\r\nattachments. For example, some of the observed campaigns included ZIP files containing JS and XML files and\r\nbenign PDF invoices. In several of the campaigns, some of the files were improperly named. For example, the\r\nXML files were .XM instead of .XML and the PDF invoices were .PF instead of .PDF.\r\nSubtle changes like this can be surprisingly effective when attempting to convince potential victims to open file\r\nattachments. Talos also observed campaigns that leveraged PDF attachments that contained no file extension\r\nwhatsoever. Investigating the PEC certified email service, we identified that this service is being widely abused by\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 6 of 23\n\nthreat actors for a variety of malicious purposes dating back to the beginning of 2019 when the legislative\r\nrequirements took effect.\r\nOne other interesting aspect of this campaign was its utilization of Domain Shadowing, a technique Cisco Talos\r\ndiscovered, which was pioneered by exploit kit users back in 2015. This technique allows the adversary to host\r\nmalicious content on subdomains associated with legitimate domains. This is typically achieved through abuse of\r\nthe registrant account, allowing for the creation of subdomains pointing to adversary-owned infrastructure.\r\nJasperLoader details\r\nMicrosoft Word documents were attached to several of these malicious emails.\r\nWhen opened, these documents displayed this decoy image:\r\nFigure 9: Example of a malicious Word document\r\nThe message displayed in the image is in Italian, and translates to:\r\nThis file was created with a prior Microsoft Office 365 version. To view the contents you need to click on the\r\n\"Enable modifications\" button, located on the yellow bar at the top, and then click on \"Enable content.\"\r\nJasperLoader Stage 1\r\nThe Microsoft Word documents contain malicious macros that execute JasperLoader and start\r\nthe infection process. Using the Python oletools package, we can further analyze the macro\r\nexecution and determine how the infection process takes place.\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 7 of 23\n\nFigure 10: Analysis results using oletools\r\nAs displayed in the screenshot above, oletools detects the presence of the VBA macros embedded within the Word\r\ndocument. The macro is configured to execute when the Word document is opened and is responsible for\r\nexecuting the commands to initiate the infection. The presence of \"Chr\" within the VBA macros may indicate that\r\nthe macros have been obfuscated, which we will walk through to provide an example of the process analysts can\r\ntake to analyze these types of malware loaders.\r\nIn addition to the use of Microsoft Word documents, Talos also observed the use of ZIP archives that directly\r\ncontain VBS downloaders. The infection process is the same in both cases. While the obfuscation differs slightly\r\nbetween the two types of campaigns, the approach is very similar. We will walk through the infection process\r\nusing the VBS with the following hash (SHA256):\r\ndc78dbd42216fdb64c1e40c6f7a2fad92921f70c40446d62eb1873d6b77ee04c.\r\nAs previously reported by oletools, the macros have been obfuscated to make static analysis more difficult. The\r\nmacros define a variable and then an array containing a large number of elements.\r\nFigure 11: Obfuscated VBScript array\r\nAt the end of the script, the following code is responsible for performing a mathematical operation on all of the\r\nnumbers in the array, reconstructing it into code that can be executed, and then executing it to continue the\r\ninfection process:\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 8 of 23\n\nFigure 12: VBScript array reconstruction\r\nThe value assigned to the variable d1 is 267. To identify what is actually going to be executed, we can subtract\r\n267 from each of the numbers present in the array and convert the resulting value into the corresponding VBScript\r\ncharacter using a conversion table similar to the one available here.\r\nOnce we have replaced the array values with the correct VBScript character value, we can see that the VBScript is\r\nresponsible for executing PowerShell commands. However, there are still a lot of artifacts from the VBScript\r\nobfuscation present, which makes additional analysis difficult. Talos has observed that the value used for the\r\nsubtraction changes frequently across samples, but that the logic remains the same.\r\nFigure 13: Converted VBScript character values\r\nThe next step is to remove all of the unnecessary characters that were part of the VBScript obfuscation to recreate\r\nthe VBScript, as well as the PowerShell associated with this stage of the infection. Once we have removed these\r\nextra characters, we are left with the following partially obfuscated code:\r\nFigure 14: Partially obfuscated script\r\nSeveral string values have been inserted into the PowerShell that the VBScript will execute in order to avoid\r\nstring-based detection and make much of the PowerShell unreadable. A closer look at the portion of the\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 9 of 23\n\nPowerShell instructions that haven't been obfuscated show that during the execution process, -replace will be used\r\nto remove these extra string values to allow for the reconstruction of the obfuscated Powershell. Examples of this\r\noperation can be seen in the below syntax:\r\n-replace '6ayBRVW',\"\";\r\n-replace 'uVRWRut',\"\";\r\n-replace '6xzQCRv',\"\";\r\nThis code instructs the system to replace these three string values throughout the script with nothing, effectively\r\nremoving them and allowing the Powershell code to properly execute. Manually removing all references to these\r\nthree strings results in the following:\r\nFigure 15: Deobfuscated Stage 1 Powershell\r\nThis script performs the following operations:\r\nCalls WScript and uses it to execute PowerShell.\r\nPowerShell is used to invoke the Get-UICulture cmdlet to identify the language set used on the system.\r\nIf the language set is associated with one of the following countries, the infection process terminates:\r\nRussia\r\nUkraine\r\nBelarus\r\nThe People's Republic of China\r\nDownloads additional data from the following URLs:\r\nhxxp://cdn[.]zaczvk[.]pl/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php?vid=\r\nhxxps://www[.]telekom[.]de/resources/images/130468/eSS-illustrations-V006-MeineErsteRechnung-FN-SG.png\r\nhxxp://cloud[.]diminishedvaluecalifornia[.]com/501?dwgvhgc\r\nThe data downloaded from the aforementioned URLs is saved to the following file location, respectively:\r\n%TEMP%\\SearchIE32.js\r\n%TEMP%\\illustrations5543.png\r\n%TEMP%\\AdobeAR.exe\r\nExecutes the downloaded files, continuing the infection process.\r\nThe infection process then continues with the execution of the contents that were retrieved from the\r\nattacker's distribution servers.\r\nJasperLoader Stage 2\r\nAs previously mentioned, the PowerShell executed in Stage 1 is responsible for reaching out to\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 10 of 23\n\nthree distinct URLs used to retrieve and execute content on infected systems. The first URL that is\r\ndefined is: hxxp://cloud[.]diminishedvaluecalifornia[.]com/501?dwgvhgc.\r\nThe malware loader initiates an HTTP GET request for contents hosted at the aforementioned URL and returns a\r\nnumerical value from the attacker-controlled server. Note that the code is present within the Content Body of the\r\nHTTP Server Response:\r\nFigure 16: Example HTTP GET request\r\nAs defined by the Powershell instructions in Stage 1, the returned content is then saved to\r\n%TEMP%\\AdobeAR.exe.\r\nIn addition to the value \"500\" that is returned to the client, Talos has also observed additional codes being returned\r\nsuch as \"404,\" \"408,\" etc. In all of the cases Talos observed, the HTTP Response Code remains 200 OK, but the\r\ncode present in the Content Body varies.\r\nThe malware loader also reaches out to the attacker's server at\r\nhxxp://cdn[.]zaczvk[.]pl/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php?vid=.\r\nFollowing an HTTP GET request by the malware loader, the malicious server responds by sending back an HTTP\r\nresponse that contains obfuscated JavaScript:\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 11 of 23\n\nFigure 17: Stage 2 obfuscated JavaScript\r\nAs defined in Stage 1, the contents of the returned JavaScript are saved to the %TEMP%\\SearchIE32.js and\r\nexecuted. The contents have been obfuscated to make analysis more difficult. Similar to what was seen with the\r\nVBScript obfuscation in the previous stage of the infection, the code defines an array, and then uses push() to\r\ncreate the string of obfuscated data. JavaScript code at the end of the returned content is responsible for\r\nreassembling, deobfuscating, and then using eval() to execute the JavaScript.\r\nFigure 18: JavaScript execution functionality\r\nThe good news with JavaScript obfuscation is that, typically, the code deobfuscates itself prior to execution.\r\nRather than attempt to manually deobfuscate the JavaScript, we can rely on this behavior to have the code\r\ndeobfuscate itself automatically. In order to more efficiently deobfuscate and analyze the malicious JavaScript, we\r\ncan use an analysis tool like Malzilla.\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 12 of 23\n\nFigure 19: Malzilla decoder tab\r\nMalzilla will deobfuscate the JavaScript and display it in the lower pane. In the case of JasperLoader, this results\r\nin another script containing a partially obfuscated set of PowerShell instructions that defines how the malware will\r\ncontinue the infection process.\r\nFigure 20: Malzilla output\r\nThe returned script is partially obfuscated using the same method we encountered previously. As we saw before,\r\nwe simply need to remove the junk strings included throughout the script to fully deobfuscate it. Once those\r\nstrings are removed, we are left with a script that looks similar to what we saw earlier, with a few changes\r\nincluded:\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 13 of 23\n\nFigure 21: Stage 2 PowerShell deobfuscated\r\nThis script is responsible for performing the retrieval of the commands associated with the next stage of the\r\ninfection process. It performs the following actions:\r\nCalls WScript and uses it to execute PowerShell.\r\nPowerShell is used to invoke the Get-UICulture cmdlet to identify the language set used on the system.\r\nIf the language set is associated with one of the following countries, the infection process terminates:\r\nRussia\r\nUkraine\r\nBelarus\r\nThe People's Republic of China\r\nDownloads additional data from:\r\nhxxp://cdn[.]zaczvk[.]pl/crypt0DD1D2637FDB71097213D70B94E86930.php\r\nSaves the downloaded contents to %TEMP%\\SearchIE32.txt\r\nReads the contents of the downloaded file and performs a Regex based replacement to deobfuscate it.\r\nExecutes the deobfuscated code to continue the infection process. In addition to retrieving the data required\r\nto continue the infection process, the script also implements a Sleep cmdlet for 180 seconds then attempts\r\nto retrieve the latest obfuscated JavaScript that is hosted at the same URL that was referenced in Stage 1.\r\nFigure 22: Stage 2 — JavaScript retrieval\r\nThis JavaScript is then executed again. This is a mechanism that can be used to ensure that as the attackers modify\r\nthe infection process, they can ensure that any previously infected systems automatically retrieve the\r\nmodifications and are updated accordingly. This demonstrates an approach that ensures that this loader can be\r\nused repeatedly, potentially to deliver different malware payloads over time.\r\nAs previously mentioned, the malware makes an HTTP GET request to the following URL to obtain additional\r\ninstructions from the attacker-controlled server:\r\nhxxp://cdn[.]zaczvk[.]pl/loadercrypt_823EF8A810513A4071485C36DDAD4CC3.php.\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 14 of 23\n\nFigure 23: Stage 3 retrieval\r\nThe obfuscated data that is returned by the server is then saved to %TEMP%\\SearchIE32.txt. The script then reads\r\nback the contents of this file and performs a regex replacement operation to deobfuscate it so that it can be\r\nexecuted:\r\nFigure 24: Stage 3 deobfuscation instructions\r\nIn order to further analyze the infection process, we need to deobfuscate the contents that were retrieved by the\r\nPowerShell. One way is to manually perform the same operation as the PowerShell.\r\nIn the previous screenshot, the following line of PowerShell is responsible for deobfuscating the code that was\r\npreviously retrieved and adding it to the end of a variable assignment, which is later executed:\r\nFigure 25: Stage 3 deobfuscation regex\r\nAs the SearchIE32.txt file is read back in, the -replace statement is responsible for removing two of every three\r\ncharacters from the file to deobfuscate and reconstruct the PowerShell commands to be executed. The operation\r\nlooks like this:\r\nThe obfuscated code contains a lot of junk code:\r\n0zig7fs9(y4 7b(i6G7aet5tvf-giUdtIacC4zuxelactd7u6wr53ehy)26.izNejahgm71ewf ga-99mefau6twyctvhu6 6w'cxRf7Ua5|5aU\r\nFor every three characters present in the obfuscated code, the first two characters are removed and the remaining\r\ncharacter is added to the end of the variable $jwihbyjzvhwwziwzadiuxat\r\nFor example, the string:\r\n0zig7fs9(y4 7b(i6G7aet5tvf-giUdtIacC4zuxelactd7u6wr53ehy)26.izNejahgm71ewf ga-99mefau6twyctvhu6 6w'cxRf7Ua5|5aU\r\nBecomes the PowerShell command:\r\nif( (Get-UICulture).Name -match 'RU|UA|BY|CN'){ exit; }\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 15 of 23\n\nIn order to more efficiently deobfuscate the next stage of instructions, we will leverage the PowerShell ISE\r\nconsole to unpack the code for us. We can do this by copying the data retrieved from the server to our system and\r\nmodifying the same PowerShell commands specified in the aforementioned script:\r\nFigure 26: PowerShell ISE Input\r\nNow that the variable $jwihbyjzvhwwziwzadiuxat contains the deobfuscated code, we can simply retrieve the\r\ncurrent value stored in this variable:\r\nFigure 27: Using PowerShell ISE to retrieve code\r\nThis causes the PowerShell ISE console to provide the deobfuscated commands that will be used for the next\r\nseries of operations. We can now retrieve this information and continue our analysis.\r\nFigure 28: PowerShell ISE Stage 3 output\r\nJasperLoader Stage 3\r\nNow that we have obtained the PowerShell responsible for the next stage of the infection process,\r\nwe can begin to observe the main characteristics of the malware loader itself. Below is the\r\nPowershell code associated with this stage of operations.\r\nFigure 29: Stage 3 deobfuscated PowerShell\r\nAs can be seen in the screenshot above, this is where the majority of the activity associated with JasperLoader\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 16 of 23\n\ntakes place. The PowerShell present in this stage is responsible for the operations described in the following\r\nsections.\r\nGeolocation checks\r\nThe PowerShell associated with Stage 3 of the JasperLoader infection process performs exactly the same\r\ngeolocational verification that we have observed in all previous stages of the infection. It checks the\r\nUICulture of the system and terminates execution if the UICulture matches Russia, Ukraine, Belarus, or\r\nPeople's Republic of China.\r\nFigure 30: Stage 3 geolocation check\r\nAchieving persistence\r\nThe next series of actions are associated with maintaining access to the system. A function called\r\nCreateShortcut() is defined that is responsible for achieving persistence by creating a LNK shortcut in the\r\nStartup folder of the infected system to ensure that the malware will execute when the system reboots.\r\nFigure 31: Stage 3 persistence mechanism\r\nBot ID generation\r\nThe malware also queries the system using WMI and retrieves various pieces of information that are used\r\nto generate a unique identifier for the infected system. This information is later transmitted to the C2 server\r\nto register the newly infected system and allow for it to be uniquely identified. These activities are\r\nperformed by the CreateID() function that is defined, as shown below:\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 17 of 23\n\nFigure 32: Stage 3 BotID generation\r\nBot registration and command retrieval\r\nThe infected system then uses an HTTP GET request to beacon out to the command and control (C2) server\r\nand transmits the unique bot identifier to register the new bot. It also waits for a response from the C2\r\nserver to determine how to proceed:\r\nFigure 33: Stage 3 C2 registration\r\nAs can be seen in the observed screenshot, the C2 server issues HTTP responses that include pipe-delimited\r\nparameters that provide additional commands to JasperLoader and direct it how to proceed.\r\nSupported commands:\r\nJasperLoader currently has support for three distinct commands that may be received from the\r\nC2 server during this operation. They are denoted by the first character that is present in the\r\nresponse received from the C2 server. (Such as the letter \"d\" in the previous screenshot.)\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 18 of 23\n\nUpdate mechanism (\"u\")\r\nThe \"u\" command may be received from the C2 server and directs JasperLoader to attempt to attempt to\r\nupdate itself using the parameters received from the C2 which are handled as values in an array assigned to\r\nthe variable $action.\r\nFigure 34: Stage 3 update mechanism\r\nBot management mechanism (\"m\")\r\nThe \"m\" command provides a mechanism with which the attacker can execute arbitrary system commands\r\nusing Powershell on infected systems. The loader waits for a response from the C2 server that contains\r\npipe-delimited information. It retrieves PowerShell commands from C2 and passes them to the Invoke-Expression (IEX) PowerShell cmdlet so that they can be executed.\r\nFigure 35: Stage 3 bot management\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 19 of 23\n\nDownload mechanism (\"d\")\r\nThe \"d\" command directs the infected system to retrieve the final malware payload and provides the\r\nparameters with which this operation should take place. It informs JasperLoader where to go to retrieve\r\nthe final malware payload, where to save it, and where to send status updates following successful\r\ndeployment of the final payload.\r\nFigure 36: Stage 3 download Function I\r\nFigure 37: Stage 3 download Function II\r\nIt also creates a Windows Defender AV exclusion for the directory in which the PE32 will be stored if the system\r\nis running PowerShell version 4 or higher.\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 20 of 23\n\nFigure 38: Stage 3 Windows defender exclusion\r\nThe system then attempts to retrieve the PE32 file that is the malicious payload in this particular infection. The\r\nscreenshot below shows the C2 server delivering the malicious PE32 file to the infected system.\r\nFigure 39: Stage 3 payload delivery\r\nThe status of the successful deployment of the malware payload is then further communicated to the attacker's\r\nserver.\r\nFigure 40: Post-infection status update\r\nIn this particular case, the malicious payload being delivered by JasperLoader is a widely distributed banking\r\ntrojan called \"Gootkit.\" This malware mainly looks to steal users' information and can act as a backdoor to the\r\ncompromised machine.\r\nConclusion\r\nJasperLoader is a malware loader that features a multi-stage infection process.\r\nThis process has been constructed in a way that makes the loader resilient and\r\nprovides flexibility to adversaries that are attempting to leverage it to spread\r\nmalware. While it is currently being used to spread the Gootkit banking trojan, it\r\nwill likely be used to distribute additional malware payloads in the future, as it has\r\nbeen designed in a way that allows the operators of the loader's infrastructure to\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 21 of 23\n\nuse it for new payloads in the future as they choose to monetize their operation in\r\ndifferent ways. The choice to abuse certified email services such as PEC\r\ndemonstrates that as attackers are always looking for new ways to lend credibility\r\nto their social engineering attacks. In this case, abusing a legitimate email service\r\nallowed them to deliver their malicious emails in a way that would maximize the\r\nlikelihood that a potential victim would open the attachments and infect\r\nthemselves with JasperLoader. In addition to the various threats that we have\r\nalready observed abusing these services, we expect additional threats to begin\r\nleveraging them as well.\r\nCoverage\r\nAdditional ways our customers can detect and block this threat are listed below.\r\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nCisco Cloud Web Security (CWS) or Web Security Appliance (WSA) web scanning prevents access to malicious\r\nwebsites and detects malware used in these attacks.\r\nEmail Security can block malicious emails sent by threat actors as part of their campaign.\r\nNetwork Security appliances such as Next-Generation Firewall (NGFW), Next-Generation Intrusion Prevention\r\nSystem (NGIPS), and Meraki MX can detect malicious activity associated with this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nUmbrella, our secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs, and URLs,\r\nwhether users are on or off the corporate network.\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 22 of 23\n\nAdditional protections with context to your specific environment and threat data are available from the Firepower\r\nManagement Center.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nIndicators of compromise  \r\nThe following IOCs are associated with various malware distribution campaigns\r\nthat were observed during the analysis of JasperLoader activity.\r\nAttachment hashes (SHA256)\r\nA list of hashes observed to be associated with malicious email attachments can be found here.\r\nDomains\r\nA list of domains observed to be associated with JasperLoader can be found here.\r\nIP addresses\r\nA list of IP addresses observed to be associated with JasperLoader can be found here.\r\nSource: https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nhttps://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html\r\nPage 23 of 23",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html"
	],
	"report_names": [
		"jasperloader-targets-italy.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775441561,
	"ts_updated_at": 1775791323,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0d6411adbd2739963fdf958da17fa377064ccbf4.pdf",
		"text": "https://archive.orkl.eu/0d6411adbd2739963fdf958da17fa377064ccbf4.txt",
		"img": "https://archive.orkl.eu/0d6411adbd2739963fdf958da17fa377064ccbf4.jpg"
	}
}