From Fake Purchase Orders to Remote Access: Analyzing the JS.MonoGlyphRAT Threat to US Enterprises

MITRE Techniques

• [T1204.002] User Execution: Malicious File – The attack starts when a user opens a disguised JavaScript attachment (‘user executes a JS script disguised as a business document’).
• [T1059.007] JavaScript – The core implant is written in JavaScript and executed via Windows Script Host (‘core implant written in JavaScript, executed via wscript.exe’).
• [T1059.001] PowerShell – The malware launches encoded PowerShell for download, decryption, command execution, and staging (‘launched via powershell -nop -enc; used for download, AES decryption, command execution, and staging’).
• [T1620] Reflective Code Loading – The loader decrypts and reflectively loads a .NET assembly into memory (‘decrypted .NET assembly loaded into memory via reflection; payload never written to disk’).
• [T1547.001] Registry Run Keys / Startup Folder – Persistence is established by copying itself and writing to the HKCU Run key (‘script copies itself to %USERPROFILE% and registers via HKCU…Run’).
• [T1082] System Information Discovery – The client collects host fingerprinting data such as domain, username, serial number, OS, RAM, model, CPU, and GPU (‘client collects host fingerprint’).
• [T1057] Process Discovery – The malware enumerates running processes via WMI (‘running process list collected via WMI Win32_Process.Name on C2 command’).
• [T1071.001] Web Protocols – C2 communication, tasking, and payload delivery occur over HTTP with custom headers (‘C2 over HTTP: check-in, beacon loop, tasking, telemetry upload, payload delivery; control via X-S / X-A headers’).
• [T1571] Non-Standard Port – The HTTP C2 service runs on non-standard ports (‘C2 endpoints served on non-standard HTTP ports’).
• [T1105] Ingress Tool Transfer – Additional files and stages are downloaded from the C2 and executed locally (‘downloads additional files and stages from C2 in encrypted form’).
• [T1132.002] Data Encoding – Telemetry and payload content are encoded using XOR, reversed hex, and AES (‘XOR for telemetry, reversed hex for strings/URLs, hex-encoded keys, AES-encrypted task bodies’).
• [T1041] Exfiltration Over C2 Channel – Collected telemetry is sent over the same HTTP C2 channel used for commands (‘collected telemetry sent over the same HTTP C2 channel used for commands’).
• [T1027] Obfuscated Files or Information – The script uses monoglyph identifier obfuscation, encoded strings, and hidden PowerShell stagers (‘monoglyph identifier obfuscation, encoded strings, AES/XOR, hidden PowerShell stagers’).
• [T1027.010] Command Obfuscation – PowerShell commands are dynamically built and launched with encoded parameters (‘PowerShell commands built dynamically, launched via -enc’).
• [T1027.013] Encrypted/Encoded File – Payloads and stages are transferred AES-encrypted with a static IV (‘payloads and stages transferred AES-encrypted; key from C2 body, static IV “sixteenbyteslong”‘).
• [T1140] Deobfuscate/Decode Files or Information – The malware decodes hex/Base64, restores reversed strings, and decrypts XOR/AES data during execution (‘hex/Base64 decode, reversed string restoration, XOR, AES-CBC decryption’).
• [T1562.001] Disable or Modify Tools – The loader patches AmsiScanBuffer to bypass AMSI and reduce detection (‘AMSI bypass by patching AmsiScanBuffer’).
• [T1070.004] File Deletion – The malware deletes its installed copy or temp files during uninstall/update (‘malware deletes installed JS copy, temp files, or older client version’).