The doc attachment contacts a link, exploiting the Equation Editor vulnerability, and downloads an exe: the malware. Data is then exfiltered via SMTP to an email address.
Jason and the probably links with Iranian APT34 state-sponsored hackers are the subject of an analysis by Marco Ramilli, cyber security expert and Yoroi’s founder
APT34 activities have recently been exposed on Telegram by an individual named “Lab Dookhtegan”. Between them there is the Jason project. The cyber security expert Marco Ramilli, founder of Yoroi, analyzed it to understand is the tool is really linked to the Iranian state-sponsored APT. Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided (even if in the code a DNS-domain discovery mode function is available). Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected (included in the distributed ZIP file) and threads number should be provided in order to optimize the attack balance.
How Jason works
Deflating the ZIP container three artifacts are facing out. Jason.exe representing the graphic user interface and the main visible tool. Microsoft.Exchange.WebService.dll which includes the real functionalities used by Jason.exe, it’s a Microsoft developed library, PassSample which includes some patterns implementation of possible Passwords and a folder named PasswordPatters which includes building blocks for password guessing. Digging a little bit into the two Microsoft artifacts, the cyber security expert finded out that both of them ( Jason.exe and Microsoft.Exchange.WebService.dll) have been written using .NET framework. The used .dll provides a managed interface for developing .NET client applications that use EWS. By using the EWS Managed API, the developer can access almost all the information stored in an Office 365, Exchange Online, or Exchange Server mailbox. The attacker used an old version of Microsoft.Exchange.WebService.dll tagged as 126.96.36.199.
The similarities between the tool and APT34 TTPs according to the cyber security expert
According to Ramilli, analyzing the reversed byte-code a real eye catcher is in the “exception securities” that have been placed. APT34 used many checks such as: variable checks, Nullbytes avoidance, objects indexes and object key checks in order to reduce the probability of not managed software exceptions. These “exception protections” are usually adopted in two main scenarios: (i) the end-user is not a super “techy” guy, so he might end-up with some unexpected conditions or (ii) the attacker is a professional developer who is trained to write product oriented code and not simple working software (which is what attackers usually do). The following images show a couple of code snippets in where the developer decided to protect codes from unexpected user behavior. Comparing the code style with previous analyses on Iranian hackers, “we might observe a similar code protection.” Even if the code language is different the similarity in the basic exception prevention from Jason. Another weak similarity is in the logging style.
Ramilli : On the other hand Jason project doesn’t share the main source code language with previous APT34 analyses
On the other hand Jason project doesn’t share the main source code language with previous APT34 analyses. It doesn’t include DNS tricks and or DNS usage evidences, it doesn’t include distinguishing patterns or language mistakes, it have been recompiled on January 2019 but using older technology. As already discussed it shares just few code style similarities with Glimpse and WebMask. Following this, Ramilli believes that, apart from these similarities and the evidences published by Lab Dookhtegan, it’s very hard today to attribute Jason directly to APT34 for what is known.