The Jhone Trojan is a dangerous Trojan that takes advantage of multiple cloud infrastructure to operate. It is being launched in a targeted attack campaign against targets in Middle Eastern countries. It features advanced infection capabilities and can cause a lot of damage to affected hosts. Read our article to learn what the Jhone Trojan is capable of and to read instructions on safely removing active infection.
|Short Description||A very dangerous banking Trojan capable of overtaking control of the machines.|
|Symptoms||The victims may notice performance issues and can get infected with other malware.|
|Distribution Method||Mainly infected documents and files|
|Detection Tool|| See If Your System Has Been Affected by Jhone Trojan |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss Jhone Trojan.|
The Jhone Trojan is a dangerous malicious infection which is currently spread in the Middle East and being spread by an unknown hacking group. We don’t know details about them however it is assumed that they are experienced to have created the dangerous code from scratch or based on one of the famous “bases” which can be acquired from the underground markets. The attacks are categorized as targeted — they will implement a keyboard layout check and will use network lookup in order to blacklist the cloud services that check for abuse.
The Jhone Trojan is currently set against victims located in the following countries: Egypt, Iraq, Libya, Algeria, Morocco, Oman, Tunisia, Syria, Yemen, UAE, Kuwait, Bahrain and Lebanon. The start of the attack campaign has been traced back to November 2019.
The main delivery technique used at the moment by the hacking group is a dangerous document files — popular examples includes spreadsheets, text files, databases and presentations. They include malicious macros that will request the execution of the built-in code by the users — the prompt will ask for this to be done by stating that this is required in order to access the contents.
The sending of the documents depend on the use of clever phishing campaigns — an example file will be called Urgent.docx and it may include contents in English or Arabic. The files are hosted on Google Drive in order to avoid blacklisting — the uploading of such data to this cloud will not raise suspicion that they may be actually malware.
Jhone Trojan infections are caused mainly by Microsoft Office documents however there are several different types which are used to deliver the threat. The first ones which which were spread in the first campaigns carried the Urgent.docx names and were written in both English and Arabic. They require the enabling of the built-in macros in order to view the contained within message. However as this copies other ransomware the hackers behind the Jhone Trojan prepared another set of documents — fb.docx which allegedly contain hijacked Facebook usernames and passwords. Another tactic used by the hackers is to impersonate an United Arab Emirates organization and send fake documents branded as important company notifications.
The actual Jhone Trojan is written in Python which allows the hackers to easily modify its core at will by both changing the main code, as well as allowing external components to be run.
Infections with this malware will begin by following a built-in sequence of malware commands. One of the first actions which are started will be to harvest sensitive data from the computer. This includes a detailed report on the installed hardware components including the installed hard drives (and their serial numbers), details about the operating system in use and etc. The hijacked data will then be relayed using a Trojan module — it will establish a secure connection to a special hacker-controlled server and allow the criminals to receive the information. The commands are checked via a special Twitter profile which is used to relay the commands. During the information gathering phase an unique ID will be created for each affected computer, this number will be relayed to the criminals as well .
A distinct part of the Jhone Trojan infection is the data theft mechanism which is used to hijack sensitive data and files from the computers. Instead of using the network connection used during the information gathering the hackers have implemented a different mechanism — the uploading of the data to cloud service hosting providers — ImgBB, Google Drive and Forms. This is done by following a scheme — screenshots are uploaded to ImgBB, binaries to Drive and the actual commands are executed from Forms data.
At the moment some of the Twitter profiles used by the hackers to command the Jhone Trojan are blocked. We anticipate that the code will soon be updated with new instructions which will reactivate the attack campaign.
How to Remove Jhone Trojan
In order to fully remove Jhone from your computer system, we recommend that you follow the removal instructions underneath this article. If the first two manual removal steps do not seem to work and you still see Jhone or programs, related to it, we suggest what most security experts advise – to download and run a scan of your comptuer with a reputable anti-malware program. Downloading this software will not only save you some time, but will remove all of Jhone files and programs related to it and will protect your computer against such intrusive apps and malware in the future.