JS.MonoGlyphRAT Malware Evades Detection via Advanced Obfuscation, Targets US Enterprises
A new JavaScript malware, JS.MonoGlyphRAT, is actively targeting US enterprises by masquerading as legitimate purchase orders in phishing emails, employing sophisticated obfuscation techniques that bypass traditional signature-based antivirus defenses.
A novel and stealthy JavaScript malware, dubbed JS.MonoGlyphRAT, is actively targeting organizations across the United States, with confirmed infections spreading to the technology, managed security service provider (MSSP), telecommunications, and education sectors. The malware's unique obfuscation method, which involves constructing variable and function names from mixed-case repeated characters, makes it exceptionally difficult for standard security tools to detect. Researchers have noted that on major threat intelligence platforms like VirusTotal and ThreatFox, JS.MonoGlyphRAT often appears as "Unknown malware," underscoring its evasion capabilities.
The attack vector relies on highly convincing phishing emails that impersonate routine business communications. Employees in procurement, sales, or finance departments are targeted with messages containing JavaScript files disguised with filenames such as "PURCHASE ORDER_12258.js" or "QUOTE_B2026.js." These lures are designed to trick recipients into opening the malicious attachment without suspicion, initiating the infection process.
Once executed via Windows Script Host (WSH), JS.MonoGlyphRAT establishes persistence by copying itself into a user's profile directory and creating a registry entry that ensures it launches automatically upon system reboot. This silent persistence mechanism allows attackers to maintain a foothold within the network without immediate user or security team detection. The malware then communicates with its command-and-control (C2) server over HTTP on non-standard ports, further aiding its evasion of network monitoring tools.
During its initial C2 communication, JS.MonoGlyphRAT collects critical system information, including the username, domain, operating system version, and hardware profile. This data is exfiltrated back to the attacker, after which the malware enters a dormant state, awaiting further instructions. This reconnaissance phase is crucial for the attackers to understand the compromised environment and plan subsequent stages of the attack.
The capabilities of JS.MonoGlyphRAT extend beyond initial access. Attackers can remotely instruct the malware to download additional malicious payloads, execute encrypted PowerShell commands, and even load code entirely into memory, leaving minimal traces on the disk. Furthermore, the malware can actively patch Windows' built-in security scanning mechanisms to suppress future detection attempts, creating a more robust and persistent presence.
Command and control (C2) communications are heavily protected through custom HTTP response headers and layered encryption. The malware utilizes AES-128 and XOR encoding for data exchanged with its C2 server, with parts of the encryption key hardcoded within the malware itself. This sophisticated encryption and communication protocol significantly complicates forensic analysis and threat hunting efforts.
Security professionals are advised to prioritize behavioral monitoring and real-time analysis over reliance on signature-based detection. Key indicators of compromise include suspicious wscript.exe activity executing JavaScript from user directories, PowerShell processes with encoded commands, new registry run keys pointing to .js files, and unusual HTTP POST traffic to non-standard ports. Early detection requires a proactive approach focusing on anomalous system behavior.