New Wave of JSOutProx Malware Targeting Financial Firms in APAC and MENA
5.4.24 Virus The Hacker News
Financial organizations in the Asia-Pacific (APAC) and Middle East and North Africa (MENA) are being targeted by a new version of an "evolving threat" called JSOutProx.
"JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET," Resecurity said in a technical report published this week.
"It employs the .NET (de)serialization feature to interact with a core JavaScript module running on the victim's machine. Once executed, the malware enables the framework to load various plugins, which conduct additional malicious activities on the target."
First identified in December 2019 by Yoroi, early attacks distributing JSOutProx have been attributed to a threat actor tracked as Solar Spider. The operations track record of striking banks and other big companies in Asia and Europe.
In late 2021, Quick Heal Security Labs detailed attacks leveraging the remote access trojan (RAT) to single out employees of small finance banks from India. Other campaign waves have taken aim at Indian government establishments as far back as April 2020.
Attack chains are known to leverage spear-phishing emails bearing malicious JavaScript attachments masquerading as PDFs and ZIP archives containing rogue HTA files to deploy the heavily obfuscated implant.
"This malware has various plugins to perform various operations such as exfiltration of data, performing file system operations," Quick Heal noted [PDF] at the time. "Apart from that, it also has various methods with offensive capabilities that perform various operations."
The plugins allow it to harvest a wide range of information from the compromised host, control proxy settings, capture clipboard content, access Microsoft Outlook account details, and gather one-time passwords from Symantec VIP. A unique feature of the malware is its use of the Cookie header field for command-and-control (C2) communications.
JSOutProx also stands for the fact that it's a fully functional RAT implemented in JavaScript.
"JavaScript simply does not offer as much flexibility as a PE file does," Fortinet FortiGuard Labs said in a report released in December 2020, describing a campaign directed against governmental monetary and financial sectors in Asia.
"However, as JavaScript is used by many websites, it appears to most users as benign, as individuals with basic security knowledge are taught to avoid opening attachments that end in .exe. Also, because JavaScript code can be obfuscated, it easily bypasses antivirus detection, allowing it to filter through undetected."
The latest set of attacks documented by Resecurity entails using fake SWIFT or MoneyGram payment notifications to trick email recipients into executing the malicious code. The activity is said to have witnessed a spike starting February 8, 2024.
The artifacts have been observed hosted on GitHub and GitLab repositories, which have since been blocked and taken down.
"Once the malicious code has been successfully delivered, the actor removes the repository and creates a new one," the cybersecurity company said. "This tactic is likely related to the actor uses to manage multiple malicious payloads and differentiate targets."
The exact origins of the e-crime group behind the malware are presently unknown, although the victimology distribution of the attacks and the sophistication of the implant alludes to them originating from China or affiliated with it, Resecurity posited.
The development comes as cyber criminals are promoting on the dark web new software called GEOBOX that repurposes Raspberry Pi devices for conducting fraud and anonymization.
Offered for only $80 per month (or $700 for a lifetime license), the tool allows the operators to spoof GPS locations, emulate specific network and software settings, mimic settings of known Wi-Fi access points, as well as bypass anti-fraud filters.
Such tools could have serious security implications as they open the door to a broad spectrum of crimes like state-sponsored attacks, corporate espionage, dark web market operations, financial fraud, anonymous distribution of malware, and even access to geofenced content.
"The ease of access to GEOBOX raises significant concerns within the cybersecurity community about its potential for widespread adoption among various threat actors," Resecurity said.