#jwrapper

Attackers exploited trusted brands like DocuSign, Adobe Sign, and Zoom to install JWrapper-wrapped SimpleHelp malware, giving remote persistent control over victim systems.

Source: Cofense

I feel like I cover a lot of evolutions in malicious activity and cybercrime, AI prompt injection, innovative configurations of known malware families, new vectors of compromise. But that doesn’t preclude the continued existence of the classics: phishing emails. Cofense’s Phishing Defense Center has published a blog report on a campaign using brand impersonation via scam emails to spread. The brands highlighted in their report? DocuSign and Adobe Acrobat. The culprit? An abused JWrapper package in the SimpleHelp Remote Monitoring and Management tool.

JWrapper is a Java-based installer framework for bundling application files into a single cross-platform executable, meaning apps using it can ‘talk’ to each other regardless of operating system. SimpleHelp is a monitoring program designed to assist with remote access management. JWrapper plays a minor role in this campaign, that of delivery. But it’s SimpleHelp that’s being exploited for execution of the payload, which in this case is a remote access Trojan.

Impersonation of genuine sites is a long utilized form of social engineering. Because the link looks like it comes from a trusted source, users will click on it. But Cofense points out, as I often do, that hovering over the link tells the real tale. The link embedded in the phishing email is a malicious redirect disguised in a request to view completed documents for signing, or a popup stating that the user needs to download the newest version of Acrobat Viewer (the two samples used in the blog report). The payload is visible in the properties of the download under file description. A remote access executable.

RAT’s are the most common payload of this type of phishing. Once command-and-control access is gained, threat actors will use that to steal credentials, deliver further malware, or bypass authentication tokens in order to compromise accounts. Phishing emails used to be less carefully crafted, having flaws that were sometimes pretty obvious. Things like typos, slight changes to names that upon first glance seem right, or details that were vague and impersonal for something allegedly coming from within a network. The samples shown in Cofense’s report did not have any of those; the only suspicious sign was the redirect visible while hovering over the embedded link. But that’s how these campaigns work. The operators are relying on users trusting the impersonation and not looking any deeper.

Once downloaded, this RAT obfuscates itself within other legitimate processes like winpty agents, necessary executable files used for terminal interfacing with programs like SimpleHelp, among others. Cofense also discovered several command lines prompts, including one where the payload created a new inbound firewall to prevent itself from being blocked, and another that gave full permission for access to all the folders on the victim’s file system. These tactics are what make RAT’s so hard to expunge from a device; they hide inside legitimate software. One cannot just delete them.

It goes without saying at this point, but prevention is still the key. And therefore, so is education. This campaign exemplifies why I always say never click an untrusted link. Don’t download from a prompt; visit the product’s site for potential updates. And come see your friendly neighborhood WISP if you need help.