CRIL researchers describe a new .NET-based loader named Jellyfish Loader that embeds dependencies, uses asynchronous execution, and communicates with a C2 server to download shellcode. The analysis notes similarities to techniques used in Olympic Destroyer/Hades and highlights SSL validation and staged C2 activity as key traits. #JellyfishLoader #OlympicDestroyer #Hades #connectivity-check.com
Keypoints
- CRIL identifies a new .NET-based ShellCode loader named Jellyfish Loader (BinSvc.exe) in early development with version 0.3.2.
- The loader executes code via asynchronous task methods using AsyncTaskMethodBuilder and an async Main method.
- Fody and Costura are used to embed dependencies as resources within the executable (compressed DLLs).
- The loader collects basic system information and validates SSL certificates before C2 communication, signaling encrypted/secured channels.
- C2 communications occur over HTTP POST to a remote server, e.g., ping.connectivity-check[.]com, with potential shellcode delivery.
- The operation leverages a long-running C2 infrastructure associated with connectivity-check.com and has ties to activity previously seen in Olympic Destroyer by Hades, though attribution is not definitive.
- The campaign includes a LNK-based dropper (Lisa.pdf.lnk) that downloads the Jellyfish Loader after executing obfuscated JavaScript via mshta.
MITRE Techniques
- [T1204] User Execution – Malicious Link – The .lnk file masquerades as a PDF file and requires user interaction to be executed. “The .lnk file masquerades as a PDF file and requires user interaction to be executed.”
- [T1036.003] Masquerading: Masquerade File Type – The .lnk file is named to appear as a PDF file to deceive users. “The .lnk file is named to appear as a PDF file to deceive users.”
- [T1082] System Information Discovery – Jellyfish Loader collects and sends basic system information from the infected machine. “Jellyfish Loader collects and sends basic system information from the infected machine.”
- [T1573] Encrypted Channel – The loader uses SSL certificate validation for secure C&C communication. “The loader uses SSL certificate validation for secure C&C communication.”
- [T1071.001] Application Layer Protocol: Web Protocols – The loader sends HTTP POST requests to communicate with its C&C server. “The loader sends HTTP POST requests to communicate with its C&C server.”
- [T1041] Exfiltration Over C2 Channel – System information and potentially other data are exfiltrated over the established C&C channel. “System information and potentially other data are exfiltrated over the established C&C channel.”
Indicators of Compromise
- [File hashes] Lisa.pdf.zip – ab9c3ef0b8bb1d68d819d569c8276af0, 66d24e2081fcfe3ffdcf80e208553f32b088c7e863668ab3813ba980e1efbc2c, and 00e0824e139e21fd6e41e2a34c1d6f598d7e4fbe
- [File hashes] Lisa.pdf.lnk – 6d47ce1660eb54a31e7870b170605f9641ec97d756fb865f3a5e357649dc2041, 300b380bf870010f14bfeeeccbdc9729
- [File hashes] Jellyfish Loader – e654e97efb6214bea46874a49e173a3f8b40ef30fd0179b1797d14bcc2c2aa6c
- [URL] ping.connectivity-check[.]com – hxxps://ping.connectivity-check[.]com/
- [Domain] connectivity-check[.]com – connectivity-check[.]com (used for C2/downloads)
Read more: https://cyble.com/blog/investigating-the-new-jellyfish-loader/