From Fake Purchase Orders to Remote Access: Analyzing the JS.MonoGlyphRAT Threat to US Enterprises
JS.MonoGlyphRAT is a newly identified, highly obfuscated JavaScript backdoor targeting US enterprises via phishing. It establishes persistence, communicates over HTTP using custom headers, and acts as a loader capable of executing AES-encrypted payloads, PowerShell commands, and in-memory .NET assemblies while bypassing AMSI.
- domainaryamint[.]comJS.MonoGlyphRAT C2 Domain
- domainscan[.]aryamint[.]comJS.MonoGlyphRAT C2 Domain
- ip158[.]94[.]211[.]76JS.MonoGlyphRAT C2 Server
- ip91[.]92[.]243[.]79JS.MonoGlyphRAT C2 Server
- sha2565446b24959c1c2707accfc257aaac61819c01d1ed65bca910a7e8be1787d200fObfuscated JS.MonoGlyphRAT script
- urlhxxp://158[.]94[.]211[.]76:34567/ceoznpJS.MonoGlyphRAT C2 Endpoint
Detection / HunterGoogle
What Happened
A new cyber threat called JS.MonoGlyphRAT is targeting US businesses, including technology, telecom, and education sectors, using fake purchase orders and quotes. When an employee opens the malicious file, the attackers gain silent, permanent access to the company's computers. This access can lead to severe consequences like ransomware attacks, data theft, and financial fraud. Organizations should train employees to spot suspicious attachments and use behavioral security tools to detect the malware's unusual activity.
Key Takeaways
- JS.MonoGlyphRAT is an active threat targeting US businesses via sales-themed phishing lures.
- The malware uses a unique 'monoglyph' obfuscation technique for JavaScript identifiers to evade static analysis.
- It establishes persistence via the HKCU Run registry key and communicates with C2 servers using custom HTTP headers (X-S, X-A).
- Capabilities include host telemetry collection, AES-encrypted payload execution, PowerShell task execution, and in-memory .NET execution.
- The malware patches AmsiScanBuffer to bypass AMSI before reflectively loading .NET assemblies.
Affected Systems
- Windows
- wscript.exe
- PowerShell
Attack Chain
The attack begins with a phishing email containing a malicious JavaScript file disguised as a business document. Upon execution via wscript.exe, the JS.MonoGlyphRAT script copies itself to a user directory and establishes persistence via the HKCU Run registry key. It then beacons to a C2 server over HTTP, receiving commands via custom headers to download and execute AES-encrypted payloads, run PowerShell commands, or reflectively load .NET assemblies into memory after patching AMSI.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: Yes
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: ANY.RUN, Suricata
The article provides an ANY.RUN Threat Intelligence query and references specific Suricata rule IDs (85006579, 85006580, 85006581) for detecting network activity associated with JS.MonoGlyphRAT.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions should easily capture wscript.exe spawning powershell.exe, registry modifications to HKCU Run keys, and AMSI patching attempts. Network Visibility: Medium — Network visibility is possible via HTTP POST requests to non-standard ports and specific URI parameters, but payloads are AES-encrypted. Detection Difficulty: Moderate — While the initial JS file is heavily obfuscated, the behavioral artifacts (wscript spawning powershell, registry persistence) are well-known and highly detectable.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon Event ID 1)
- Registry Events (Sysmon Event ID 12, 13, 14)
- Network Connections (Sysmon Event ID 3)
- PowerShell Operational Logs (Event ID 4104)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for wscript.exe executing .js files from user-writable directories, particularly %USERPROFILE%. | Process Creation | Execution | Low |
| Look for wscript.exe spawning powershell.exe with '-nop' and '-enc' flags. | Process Creation | Execution | Low |
| Monitor for registry writes to HKCU\Software\Microsoft\Windows\CurrentVersion\Run where the value contains wscript.exe and a .js file path. | Registry Events | Persistence | Low |
| Investigate HTTP POST requests to non-standard ports containing query parameters like 'ia=', 'df=', 'ex=', 'sb=', or 'vc='. | Network Logs | Command and Control | Medium |
Control Gaps
- Signature-based Antivirus (malware is currently classified as 'Unknown' and heavily obfuscated)
Key Behavioral Indicators
- wscript.exe -> powershell.exe -nop -enc
- Registry write to HKCU Run pointing to a .js file
- HTTP POST body containing 'a=iz&b='
- HTTP response headers containing 'X-S:' and 'X-A:'
False Positive Assessment
- Low. The combination of wscript.exe spawning encoded PowerShell, specific registry persistence, and custom HTTP headers (X-S, X-A) is highly indicative of malicious activity.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking the identified C2 IP addresses and domains at the network perimeter.
- If applicable, isolate endpoints exhibiting wscript.exe spawning encoded PowerShell commands.
Infrastructure Hardening
- Evaluate whether changing default file associations for .js files from wscript.exe to a text editor (like notepad.exe) is feasible in your environment.
- Consider restricting wscript.exe execution from user-writable directories using AppLocker or WDAC.
User Protection
- If supported by your email gateway, consider blocking or quarantining inbound emails containing .js attachments.
- Evaluate whether endpoint security controls are configured to monitor and block AMSI patching techniques.
Security Awareness
- Consider rolling out targeted training for procurement, sales, and finance teams on identifying suspicious business documents and attachments.
- Remind employees to verify unexpected purchase orders or quotes via a secondary communication channel.
MITRE ATT&CK Mapping
- T1204.002 - User Execution: Malicious File
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1620 - Reflective Code Loading
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1082 - System Information Discovery
- T1057 - Process Discovery
- T1071.001 - Application Layer Protocol: Web Protocols
- T1571 - Non-Standard Port
- T1105 - Ingress Tool Transfer
- T1132.002 - Data Encoding: Non-Standard Encoding
- T1041 - Exfiltration Over C2 Channel
- T1027 - Obfuscated Files or Information
- T1027.010 - Obfuscated Files or Information: Command Obfuscation
- T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
- T1140 - Deobfuscate/Decode Files or Information
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1070.004 - Indicator Removal: File Deletion
Additional IOCs
- Ips:
158[.]94[.]211[.]76- JS.MonoGlyphRAT C2 Server91[.]92[.]243[.]79- JS.MonoGlyphRAT C2 Server
- Domains:
scan[.]aryamint[.]com- JS.MonoGlyphRAT C2 Domainaryamint[.]com- JS.MonoGlyphRAT C2 Domain
- Urls:
hxxp://158[.]94[.]211[.]76:34567/ceoznp- JS.MonoGlyphRAT C2 Endpoint
- File Hashes:
5446b24959c1c2707accfc257aaac61819c01d1ed65bca910a7e8be1787d200f(sha256) - Obfuscated JS.MonoGlyphRAT script
- Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\*- Persistence mechanism pointing to a .js file
- File Paths:
%USERPROFILE%\<random letters>\<random letters>.js- Installed JS payload path
- Command Lines:
- Purpose: Executes obfuscated PowerShell payload | Tools:
powershell.exe,wscript.exe| Stage: Execution |powershell.exe -nop -enc
- Purpose: Executes obfuscated PowerShell payload | Tools:
