Hackers targeting Arabic-speaking countries with malicious Microsoft Office documents
Security researchers with Cisco's Talos Security Intelligence and Research Group discovered a new type of malware, which is able to attack a victim's devices through malicious Microsoft Office documents.
The malware is a Remote Access Trojan, also known as a RAT, that Talos analysts Warren Mercer, Paul Rascagneres, Vitor Ventura, and Eric Kuhla named "JhoneRAT" because it checks for new commands in the tweets from the handle @jhone87438316. The handle was suspended by Twitter, but JhoneRAT looks for new commands every 10 seconds using and HTML parser to identify new tweets.
In a blog post and an email interview, Rascagneres and the Talos team explained that this malware has been used specifically to target people and systems in Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain, and Lebanon. "We don't know why specifically these countries, the attackers simply hardcoded these countries in the malware. The attackers had complete control of the compromised systems. The purpose of the campaigns were cyber espionage," Rascagneres said.