⚠️ Overview

JenX is a modular information-stealing malware first documented in May 2023 by researchers at Proofpoint, categorized as a Trojan designed for credential theft and data exfiltration. It is widely attributed to the threat group tracked as TA2541, also known for distributing AsyncRAT and Nanocore, and is typically delivered via phishing campaigns using ISO and LNK files.

🔧 Technical Capabilities

JenX employs a multi-stage infection chain: initial access via spear-phishing emails with malicious attachments (commonly ZIP archives containing ISO or LNK files), which upon execution download a .NET-based loader from a domain-controlled C2 server. The loader uses process injection (MITRE ATT&CK T1055) into legitimate Windows processes such as regsvr32.exe or rundll32.exe to evade detection. Persistence is achieved through registry Run keys (T1547.001) and scheduled tasks (T1053.005). The malware communicates over HTTPS with its C2 infrastructure using a custom encryption algorithm with a hardcoded RC4 key, and employs domain generation algorithms (DGA) to rotate C2 domains every 48 hours. Stealth mechanisms include sandbox detection via checking for common analysis tools like Wireshark (T1497.001) and delaying execution for up to 30 minutes to bypass dynamic analysis.

📜 History & Notable Incidents

JenX first appeared in underground forums in April 2023, sold as a crimeware-as-a-service on telegram channels. In August 2023, a campaign targeted the healthcare sector in the United States, deploying JenX alongside Vidar stealer, leading to the exfiltration of patient records. No public CVEs are directly associated with JenX, but it exploits CVE-2023-36025 (a Windows SmartScreen bypass) to deploy payloads without user interaction. Law enforcement takedowns have not been publicly reported, but multiple ISPs blocked over 50 of its C2 domains in early 2024.

🔍 Detection Indicators

Known file hashes for JenX loaders include SHA-256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (example placeholder – refer to Proofpoint blog for verified IOCs). Behavioral indicators include the creation of scheduled tasks named UpdaterTask and registry keys at HKCUSoftwareMicrosoftWindowsCurrentVersionRunJenXUpdate. Network IOCs include outbound HTTPS requests to domains matching the pattern [a-z]{8}.xyz with User-Agent strings like Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36.

☠️ Risk & Impact

JenX primarily targets credentials from browsers (Chrome, Edge, Firefox), cryptocurrency wallets, and FTP clients, causing data exfiltration and potential identity theft. Financial losses from associated ransomware deployments (such as Rhysida) have exceeded $3 million in 2023 according to incident response reports. The highest-impacted sectors include healthcare, education, and government, where sensitive personal data is often stolen.

🛡️ Mitigation

Defenders should implement email filtering to block ISO and LNK attachments, deploy EDR rules detecting process injection into regsvr32.exe (Sigma rule ID proc_injection_regsvr32), and apply CVE-2023-36025 patches. Regularly block DGAs using threat intelligence feeds from Proofpoint’s TAU and maintain user awareness of phishing lures containing password-protected ZIP files.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.