The APT34 Jason project represents a sophisticated cyber espionage tool designed for credential harvesting from Microsoft Exchange servers. Released by Lab Dookhtegan on June 3, 2019, this .NET GUI application demonstrates the evolving tactics of Iranian-state sponsored threat actors.

Overview

Jason is a graphic tool implemented to perform Microsoft Exchange account brute-force attacks. Distributed in a ZIP container, the interface is designed to be intuitive for threat actors seeking to compromise email accounts at scale.

Technical Composition

The Jason toolkit includes several key components:

• Jason.exe: The main executable file
• Microsoft.Exchange.WebService.dll (v15.0.0.0, 2012): Exchange Web Services library for interacting with Exchange servers
• PassSample: Directory containing sample passwords
• PasswordPatterns: Directory with various password pattern files:
• Year.txt
• numspecial.txt
• num4.txt
• num4special.txt

Code Analysis and Characteristics

Analysis of the Jason tool reveals several notable characteristics consistent with other APT34 tools:

• Strong exception handling: Similar to prior APT34 tools like WebMask and Glimpse, indicating a consistent development approach
• 
  .NET framework usage: Leveraging Windows-native technologies for better integration with target environments
• Exchange Web Services (EWS) integration: Targeting Exchange servers via EWS/OAB protocols for stealthier access
• Offline password attack capabilities: Including local password lists reduces network noise during attacks

Indicators of Compromise (IoCs)

For detection and hunting purposes, the following IoCs are associated with the Jason tool:

Attack Methodology

The Jason tool operates by:

1. Loading Exchange Web Services credentials
2. Connecting to target Exchange servers via EWS/OAB
3. Attempting authentication using various password combinations from provided lists
4. Upon successful authentication, harvesting emails from compromised accounts
5. Exfiltrating collected data to threat actor-controlled servers

Detection and Mitigation Strategies

Network-Based Detection

Look for:

• Unusual EWS/OAB authentication attempts
• Multiple failed login attempts followed by success
• Large data transfers from Exchange servers to unfamiliar destinations
• Access to Exchange services from unusual geographic locations

Host-Based Indicators

Monitor for:

• Execution of Jason.exe or similar .NET applications
• Unexpected Microsoft.Exchange.WebService.dll loading
• Access to password files in unusual contexts
• Registry modifications related to Exchange client configuration

Preventive Measures

To defend against tools like Jason:

• Implement MFA for all Exchange/Office 365 accounts
• Enable and monitor Exchange audit logging
• Restrict EWS/OAB access to only necessary clients and networks
• Implement account lockout policies after failed attempts
• Use Exchange Online Advanced Threat Protection
• Regularly review Exchange login reports for anomalies

Context Within APT34 Operations

The Jason tool fits within APT34's broader toolset, which includes:

• WebMask: Webshell management tool
• Glimpse: Information gathering utility
• Various custom backdoors and droppers
• Jason represents their focus on credential harvesting and data exfiltration capabilities

Conclusion

The APT34 Jason project demonstrates the continued evolution of cyber espionage tools targeting enterprise email systems. By combining Exchange Web Services with brute-force capabilities and strong operational security practices (like local password testing), threat actors can efficiently harvest credentials while minimizing network-based detection.

Organizations should focus on detecting anomalous Exchange authentication patterns, implementing strong MFA policies, and maintaining comprehensive logging to defend against such credential harvesting attacks.