Cyble Research and Intelligence Labs (CRIL) has recently unearthed a sophisticated shellcode loader named Jellyfish Loader, marking a new development in cyber threat detection. This new. NET-based malware exhibits advanced capabilities, including the collection of system information and establishment of secure Command and Control (C&C) communications. Here’s a detailed exploration of what CRIL has uncovered about this emerging threat.
The Jellyfish Loader utilizes intricate methodologies to execute its malicious agenda. CRIL researchers first encountered this threat within a ZIP file originating from Poland. Inside this archive, disguised as a harmless Windows shortcut (.lnk) file, lay a clean PDF document. Upon execution, however, the .lnk file initiates the download and execution of the Jellyfish Loader, a 64-bit .NET executable identified as “BinSvc.exe” (SHA-256: e654e97efb6214bea46874a49e173a3f8b40ef30fd0179b1797d14bcc2c2aa6c).
Overview of the Jellyfish Loader Campaign
The Jellyfish Loader, a newly identified threat analyzed by Cyble Research and Intelligence Labs (CRIL), employs advanced techniques to execute its malicious operations. It utilizes AsyncTaskMethodBuilder for asynchronous operations, ensuring efficient SSL certificate validation for secure communication with its Command and Control (C&C) server. This approach enhances its ability to manage interactions discreetly and securely.
Embedded within the Jellyfish Loader are dependencies integrated using Fody and Costura, enhancing its stealth during deployment. These embedded resources facilitate its operation while evading detection.
Upon infection, the loader extracts critical system information in JSON format, encoded with Base64 for obfuscation. This encoded data is then sent to its designated C&C server, facilitating further instructions and actions.
For communication, the Jellyfish Loader utilizes HTTP POST requests to connect with its C&C server hosted at “hxxps://ping.connectivity-check[.]com”. Despite encountering challenges in delivering shellcode payloads during testing, the loader demonstrates capabilities for downloading and executing additional malicious payloads.
Interestingly, similarities between the Jellyfish Loader and the infamous Olympic Destroyer highlight shared coding styles and infrastructure, reminiscent of techniques attributed to the Hades threat actor group. This includes the use of PowerShell scripts for downloading encrypted payloads, as observed in previous cyber attacks documented by Kaspersky in 2018.
The domain “connectivity-check[.]com”, integral to Jellyfish Loader’s operations, has been monitored since 2016 across various Autonomous System Numbers (ASNs), primarily ASN 16509 (AMAZON-02) since 2019. This domain hosts multiple subdomains crucial for potential C&C communications, underscoring its significance in malicious activities orchestrated by threat actors.
Recommendations and Mitigations for Jellyfish Loader
CRIL’s investigation has revealed compelling evidence suggesting that the Jellyfish Loader is involved in sophisticated cyber operations reminiscent of Olympic Destroyer, although direct attribution to the Hades group remains uncertain. Despite this ambiguity, organizations are advised to fortify their defenses against such online threats.
Implementing robust security measures is crucial, including deploying advanced antivirus and anti-malware solutions capable of detecting and thwarting shellcode-based attacks. Network segmentation helps mitigate the spread of malware within organizational networks, minimizing potential damage in case of a security breach.
Application whitelisting enhances security by restricting execution privileges to authorized applications, thereby preventing unauthorized execution of malicious shellcodes. Continuous monitoring of network activities using robust tools is essential to detect unusual patterns indicative of shellcode execution or Command and Control (C&C) communications.
SSL/TLS inspection plays a critical role in scrutinizing encrypted traffic to uncover hidden malicious activities. As cyber threats evolve, ongoing vigilance and collaboration across security communities are essential in combating sophisticated malware variants like the Jellyfish Loader.
CRIL remains dedicated to advancing research and collaboration efforts to heighten awareness and bolster defenses against emerging cyber threats. By staying proactive and informed, organizations can effectively safeguard their digital assets against the evolving landscape of cyber threats posed by entities such as the Jellyfish Loader and similar adversaries in the cyber realm.