In late April 2022, I was requested to analyze a software artifact. It was an instance of Janicab, a software with infostealing and spying capabilities known since 2013. Differently to other analyses I do as part of my job, in this particular case I can disclose parts of it with you readers. I’m addressing those parts in a post series. Based on this specific sample, here I’going to discuss a bit about the attribution. Furthermore, I’m going to collect the Indicators of Compromise (IoCs) related to thi specific infection chain. If you want to know more about the various stages of the infection, I recommend you reading the previous posts of this series: first part, second part, and third part.
Given the body of knowledge consisting of the artifacts involved in the infection chain, provided by the previous sections, I am now in a good position to briefly discuss why I believe to have dealt with a Janicab instance.
Janicab was first disclosed in 2013 by F-Secure Labs. The name Janicab appears in their first publication on this topic within the signature created by the analysts for the antivirus product:
Backdoor:Python/Janicab.A. That publication is about a malware targeting Mac operating systems. Despite of its briefness, the article is long enough for us to observe a distinctive technique adopted by the malware: the use of C2 published on social media like YouTube. In that primordial case, the C2 url was directly published as a YouTube video description. I discuss a very similar technique, regarding an artifact belonging to this infection chain, in this post.
F-Secure Lab published another article about Janicab in 2015. The similarities between the sample discussed in this report and that one addressed by F-Secure Lab post are manifold. Most of the similarities are about the techniques:
- Use of a LNK file with hidden target arguments as a first link of the infection chain.
- C2 ip address obtained starting from a numeric seed posted in a YouTube comment to a video. In the case discussed by F-Secure analysts, the comment pattern was slightly different:
our (.*)th psy anniversary.
- Same conversion function from the C2 numeric seed to the C2 ip address.
- Same C2 resources and requests parameters.
An interesting and relevant post concerning Janicab was published by Securelist (Kaspersky) in 2020. In this publication, the analysts claim that Janicab is operated by the same group as Powersing and Evilnum malware. The claim is supported by several observations such as:
- Distribution via LNK files embedding other artifacts.
- C2 obtained from dead drop resolvers with regular expression matched on public posts.
- Partial code overlap and/or code similarities.
Although I don’t have access to a reliable source of information concerning Janicab victimology, the claim made by Kaspersky analysts provides for some potentially interesting leads. By including Evilnum and Powersing operations and targets, they hypothesize that the group behind Janicab acts as a mercenary outfit mostly involved in intelligence operations. The main targets seem to be law firms and fintech companies.
Indicators of Compromise
|e0c0c90742083433b2adbbb13f9286e6||MD5||MicrosoftMicrosoft Sync Services.lnk|
|de0e5b035d214b47c722b9fc985d58145f2b3e18||SHA1||MicrosoftMicrosoft Sync Services.lnk|
|2b7dd592b5a3c756ff109d83707ac36717fb577d19369dbb0e30c4f9cc01a8a2||SHA256||MicrosoftMicrosoft Sync Services.lnk|
This post closes the series about Janicab. As always, if you want to share comments or feedbacks (rigorously in broken Italian or broken English) do not esitate to drop me a message at admin[@]malwarology.com.