New wave of JSOutProx malware targeting financial companies in Asia Pacific and MENA
Financial organizations in Asia Pacific (APAC) and the Middle East and North Africa (MENA) are being targeted by new versions of “evolving threats” JSOutProx.
“JSOutProx is a sophisticated attack framework that leverages JavaScript and .NET,” Resecurity said in a technical report released this week.
“It leverages .NET (des)serialization capabilities to interact with core JavaScript modules running on the victim’s computer. Once executed, the malware causes the framework to load various plugins to perform other malicious activities on the target.”
First discovered by Yoroi in December 2019, early attacks distributing JSOutProx were attributed to threat actors tracked as Solar Spider. Strike operating records of banks and other large companies in Asia and Europe.
In late 2021, Quick Heal Security Lab detailed an attack using a remote access Trojan (RAT) to specifically target employees of small financial banks in India. As early as April 2020, other campaign waves targeted Indian government institutions.
The attack chain is known to utilize spear phishing emails with malicious JavaScript attachments disguised as PDF and ZIP files containing malicious HTA files to deploy heavily obfuscated implants.
Quick Heal noted: “The malware has various plug-ins to perform various operations, such as data exfiltration and file system operations.” [PDF] then. “Beyond that, it has a variety of attack-capable methods that can perform a variety of operations.”
These plug-ins enable them to obtain extensive information from infected hosts, control proxy settings, capture clipboard contents, access Microsoft Outlook account details, and collect one-time passwords from Symantec VIPs. A unique feature of this malware is the use of cookie header fields for command and control (C2) communications.
JSOutProx also represents the fact that it is a fully functional RAT implemented in JavaScript.
“JavaScript simply does not provide as much flexibility as PE files,” Fortinet FortiGuard Labs said in a December 2020 report describing a campaign targeting the monetary and financial sectors of Asian governments.
“However, since many websites use JavaScript, it appears to be benign to most users, as individuals with basic security knowledge are taught to avoid opening attachments ending in .exe. Additionally, since JavaScript code can be obfuscated , so it can easily bypass antivirus detection, allowing it to filter without being detected.”
The latest set of attacks documented by Resecurity involves using fake SWIFT or MoneyGram payment notifications to trick email recipients into executing malicious code. The activity is said to have spiked starting on February 8, 2024.
These artifacts have been observed being hosted on GitHub and GitLab repositories, but have since been blocked and removed.
“Once the malicious code is successfully delivered, the attacker deletes the repository and creates a new one,” the cybersecurity firm said. “This tactic may be consistent with the tactics used by attackers to manage multiple malicious payloads and differentiate targets. It’s about the way.”
Resecurity believes that the exact origins of the electronic criminal organization behind the malware are currently unclear, but the distribution of victims in the attacks and the complexity of the implants suggest that they originate from or are connected to China.
The development comes as cybercriminals are promoting new software on the dark web called GEOBOX, which repurposes Raspberry Pi devices for fraud and anonymization.
For just $80 per month (or $700 for a lifetime license), the tool allows carriers to spoof GPS locations, emulate specific network and software settings, mimic settings of known Wi-Fi access points, and bypass anti-spoofing filter.
Such tools can create serious security risks because they open the door to a variety of criminal activities, such as state-sponsored attacks, corporate espionage, darknet market operations, financial fraud, anonymous distribution of malware, and even access to geofences content.
“GEOBOX’s ease of access raises serious concerns in the cybersecurity community about its potential for widespread adoption among a variety of threat actors,” Resecurity said.
from Tech Empire Solutions https://techempiresolutions.com/new-wave-of-jsoutprox-malware-targeting-financial-companies-in-asia-pacific-and-mena/
via https://techempiresolutions.com/
from Tech Empire Solutions https://techempiresolutions.blogspot.com/2024/04/new-wave-of-jsoutprox-malware-targeting.html
via https://techempiresolutions.com/
Comments
Post a Comment