MalwareRansomwareUsed by 5 actorsExploits 2 CVEs

JSSLoader

JSSLoader is a malware loader and remote access trojan associated with FIN7/ELBRUS (also tracked as Sangria Tempest, Carbon Spider) and distributed in many campaigns by Storm-0324/TA543. It has been used since at least 2019 as an initial-access and staging payload that profiles infected systems, communicates with command-and-control infrastructure, establishes persistence, and executes or loads additional payloads. Reported follow-on payloads include Griffon, Cobalt Strike, and ransomware-related tooling. Microsoft states JSSLoader has facilitated access for Sangria Tempest, and Microsoft also describes ELBRUS/FIN7 as responsible for developing and distributing JSSLoader and Griffon.

The malware was originally observed as a .NET family and reappeared in June 2021 rewritten in C++, likely to evade detections and complicate analysis. Naming derives from its "JSS" namespace and "jssAdmin" command-and-control panel login page. Historical reporting states JSSLoader used HTTPS with base64-encoded data for C2, sent detailed host information in its initial beacon, and later shifted beacon formatting to JSON. The June 2021 C++ variant retained similar functionality and protocol behavior, and one observed sample established persistence via a registry Run key named "AppJSSLoader."

Observed delivery vectors include large-scale phishing and other social-engineering chains. Campaigns used invoice, payment, package-delivery, UPS, Intuit, DocuSign, and QuickBooks themes; traffic distribution systems such as BlackTDS and Keitaro; SharePoint-hosted scripts or archives; Windows Script File, VBScript, JavaScript, and Office-document-based launchers; and, in some FIN7 activity, malicious Microsoft Excel add-in files (.xll). In the XLL infection chain, opening the unsigned Excel add-in causes EXCEL.EXE to download and execute JSSLoader from the user TEMP directory as a DNA-prefixed .tmp file. Domains explicitly identified in delivery activity include physiciansofficenews.com, thechinastyle.com, and divorceradio.com; one example DNS resolution for physiciansofficenews.com was 209.99.64.51.

Targeting described in the content spans broad opportunistic campaigns against hundreds of organizations across finance, manufacturing, technology, retail, healthcare, education, and transportation. Separate FIN7-focused reporting notes longstanding targeting of U.S. retail, restaurant, and hospitality organizations. Additional telemetry and simulation content indicates JSSLoader-related activity can include access to browser SQL databases for collection and possible exfiltration of data.

High-confidence indicators mentioned in the content include the registry Run key value "AppJSSLoader"; Excel-launched DNA-prefixed temporary payloads such as C:\Users\chris\AppData\Local\Temp\DNAxxx.tmp; malicious delivery domains physiciansofficenews.com, thechinastyle.com, and divorceradio.com; XLL sample SHA256 8783EB00ACB3196A270C9BE1E06D4841BF1686C7F7FC6E009D6172DAF0172FC6; and example JSSLoader payload SHA256 45FA7A26A0DBA954080147CAAB78453E7935DC4916418150A37F09B2BA263B41.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES

CVE-2023-21715Microsoft Publisher Security Feature Bypass VulnerabilityExploited in the wild

Storm-0324 has used a variety of files to host the JavaScript code, including WSF and Ekipa publisher files exploiting the CVE-2023-21715 local security feature bypass vulnerability. | The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest.

via microsoft generalmicrosoft.com

CVE-2021-31207Post-auth Arbitrary File Write in Microsoft Exchange Server (ProxyShell)

ELBRUS is responsible for developing and distributing multiple custom malware families used for persistence, including JSSLoader and Griffon.

via microsoft generalmicrosoft.com

THREAT ACTORS

Groups observed using it

5 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

FIN7

After a months-long absence, the malware loader JSSLoader returned in June 2021 campaigns rewritten from the .NET programming language to C++. JSSLoader is often dropped in the first or second stage of a campaign and has the functionality to profile infected machines and load additional payloads.

via proofpointproofpoint.com

Carbanak

via proofpointproofpoint.com

TA543

via proofpointproofpoint.com

TA3546

via proofpointproofpoint.com

Storm-0324

The actor is known to distribute the JSSLoader malware, which facilitates access for the ransomware-as-a-service (RaaS) actor Sangria Tempest.

via microsoft generalmicrosoft.com

MITRE ATT&CK

Techniques & procedures

22 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

4 techniques

T1189Drive-by CompromiseEvidence1

Storm-0324 manages a malware distribution chain and has used exploit kit and email-based vectors to deliver malware payloads.

T1566PhishingEvidence4

ELBRUS is very active in compromising organizations via phishing campaigns that lead to their JSSLoader and Griffon malware.

T1566.002Spearphishing LinkEvidence2

The email contained URLs linking to a Keitaro TDS landing. In turn, the landing linked to the download of a Windows Scripting File (WSF) hosted on SharePoint.

T1566.003Spearphishing via ServiceEvidence1

In July 2023, Storm-0324 began using phishing lures sent over Teams with malicious links leading to a malicious SharePoint-hosted file. For this activity, Storm-0324 most likely relies on a publicly available tool called TeamsPhisher.

Execution

5 techniques

T1059Command and Scripting InterpreterEvidence1

If executed, it downloaded an intermediate script, which then downloaded and executed the C++ version of JSSLoader.

T1059.005Visual BasicEvidence3

The TDS would direct the user to the download another file, a VBS downloader, hosted on SharePoint. The VBS downloader would then download JSSLoader.

T1059.007JavaScriptEvidence3

Its commands and functionality focused on executing a next stage executable or JavaScript.

T1204User ExecutionEvidence2

If executed, it downloaded an intermediate script, which then downloaded and executed the C++ version of JSSLoader.

T1204.002Malicious FileEvidence2

Once the file is downloaded and opened, the malicious code in the file is loaded and executed by Excel.

Persistence

2 techniques

T1137.001Office Template MacrosEvidence1

These infections have been utilizing Microsoft Excel add-in files (XLL files) to drop the JSSLoader trojan to victim machines.

T1547.001Registry Run Keys / Startup FolderEvidence1

It sets up “registry run” persistence using a value name of “AppJSSLoader”

Privilege Escalation

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

It sets up “registry run” persistence using a value name of “AppJSSLoader”

Stealth

3 techniques

T1027.001Binary PaddingEvidence1

In some cases, Storm-0324 uses protected documents for additional social engineering... The password also serves as an effective anti-analysis measure because it requires user interaction after launch.

T1036MasqueradingEvidence1

The XLL file downloads a .tmp file with the DNA prefix in the %TEMP% directory of the user, then executes this temporary file... The use of the .tmp extension is to bypass malware scanners and monitoring tools... The temporary file created can still be executed and is just a way of masquerading.

T1211Exploitation for Defense EvasionEvidence1

Storm-0324 has used a variety of files to host the JavaScript code, including WSF and Ekipa publisher files exploiting the CVE-2023-21715 local security feature bypass vulnerability.

Discovery

2 techniques

T1033System Owner/User DiscoveryEvidence1

Windows System Discovery Using ldap Nslookup

T1082System Information DiscoveryEvidence1

The initial C&C beacon contained verbose system information... It has the functionality to profile infected machines

Collection

3 techniques

T1005Data from Local SystemEvidence1

including looking for Image Loading of ldap and wmi modules, associated with its payload, data collection and script execution.

T1213Data from Information RepositoriesEvidence1

fin7 jssloader sacl event accessing browser sql db for collection of data to exfiltrate.

T1560Archive Collected DataEvidence1

Users are ultimately redirected to a SharePoint-hosted compressed file containing JavaScript that downloads the malicious DLL payload.

Command and Control

3 techniques

T1071.001Web ProtocolsEvidence1

Its C&C used HTTPS requests with base64-encoded data

T1105Ingress Tool TransferEvidence3

The VBS downloader would then download JSSLoader... If executed, it downloaded an intermediate script, which then downloaded and executed the C++ version of JSSLoader.

T1132Data EncodingEvidence1

Its C&C used HTTPS requests with base64-encoded data

INDICATORS OF COMPROMISE

IOCs tracked for this family

8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

3 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app5 years ago

hash.sha256●●●●●●●●●●●●View more in app5 years ago

ACTIVITY FEED

Recent activity

8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

8 SOURCESView more in app

microsoft generalNews

Sep 12, 2023

Malware distributor Storm-0324 facilitates ransomware access | Microsoft Security Blog

A first-stage malware/loader distributed by Storm-0324 that facilitates access for Sangria Tempest and is followed by additional tooling, often as part of ransomware-linked intrusion chains.

wazuhNews

May 24, 2022

Detecting XLL files used for dropping FIN7 JSSLoader with Wazuh | Wazuh

A FIN7-associated remote access trojan delivered via malicious Microsoft Excel XLL add-in files. The XLL dropper causes Excel to load unsigned add-ins, performs DNS lookups to malicious domains, downloads the payload as a temporary file with a DNA prefix in %TEMP%, and executes it to establish infection.

microsoft generalNews

May 9, 2022

Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog

Custom malware used for persistence by ELBRUS/FIN7; used in phishing-led intrusions and associated with ransomware/extortion activity.

microsoft generalNews

May 9, 2022

Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself | Microsoft Security Blog

Custom malware family used by ELBRUS for persistence and ongoing compromise activity.

+4 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching8

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution5

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping22

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.