A malicious loader named Jennlog has recently been used by an Iranian threat actor called Agrius in a ransomware attack against a university in Israel.
The malware was written in .NET assembly language, and designed to target Windows® machines.
The loader hides its payload as a resource that initially appears to be a log file.
Instead, the resource contains both the malicious payload (in this case, Orcus RAT) and the malware’s execution configuration. As an anti-analysis method, this loader checks for the presence of virtual machines (VMs) and sandboxes before unpacking its malicious payload, as this might indicate that it is being run on a researcher’s machine.
Jennlog loader: Operating System
Risk & Impact
To see how BlackBerry prevents Jennlog attacks from occurring, check out the following video: