Financial organizations in Asia-Pacific (APAC) and the Middle East and North Africa (MENA) are being targeted by a new version of an “evolving threat” called JSOutProx.
“JSOutProx is a sophisticated attack framework that uses both JavaScript and .NET,” Resecurity said in a technical report published this week.
“It uses .NET’s (de)serialization functionality to interact with a main JavaScript module running on the victim’s computer. Once executed, the malware allows the framework to load various plugins, which conduct further malicious activity on the target.”
First identified in December 2019 by Yoroi, the first attacks deploying JSOutProx were attributed to a threat actor tracked as Solar Spider. The operations have made a record of hitting banks and other large companies in Asia and Europe.
In late 2021, Quick Heal Security Labs detailed attacks that leveraged Remote Access Trojan (RAT) to target employees of small Indian financial banks. Other waves of campaigns targeted Indian government institutions as early as April 2020.
Attack chains are known to exploit spear-phishing emails containing malicious JavaScript attachments masquerading as PDFs and ZIP archives containing rogue HTA files to implement the heavily obfuscated implant.
“This malware has various plugins to perform various operations such as data exfiltration, performing file system operations,” noted Quick Heal [PDF] at the moment. “Beyond that, he also has various methods with offensive capabilities that perform various operations.”
The plugins allow you to collect a wide range of information from the compromised host, control proxy settings, capture clipboard contents, access Microsoft Outlook account details, and collect one-time passwords from Symantec VIP. A unique feature of the malware is the use of the cookie header field for command and control (C2) communications.
JSOutProx also represents the fact that it is a fully functional RAT implemented in JavaScript.
“JavaScript simply does not offer the same flexibility as a PE file,” Fortinet FortiGuard Labs said in a report published in December 2020, describing a campaign directed against government monetary and financial sectors in Asia.
“However, because JavaScript is used by many websites, it appears harmless to most users, as people with basic security knowledge are taught to avoid opening attachments ending in .exe. Additionally, because JavaScript code can be obfuscated, it easily bypasses antivirus detection, allowing it to filter through without being detected.”
The latest series of attacks documented by Resecurity involves using fake SWIFT or MoneyGram payment notifications to trick email recipients into executing malicious code. The activity is said to have witnessed a peak starting February 8, 2024.
The artifacts were observed hosted on GitHub and GitLab repositories, which have since been blocked and removed.
“Once the malicious code has been successfully distributed, the author removes the repository and creates a new one,” the cybersecurity firm said. “This tactic is likely related to using the actor to handle multiple malicious payloads and differentiate targets.”
The exact origins of the electronic crime group behind the malware are currently unknown, although the distribution of attack victimology and the sophistication of the implant hint at a Chinese or Chinese-affiliated origin, Resecurity speculated.
The development comes as cybercriminals are promoting new software on the dark web called GEOBOX that repurposes Raspberry Pi devices to conduct fraud and anonymization.
Offered for just $80 a month (or $700 for a lifetime license), the tool allows operators to spoof GPS locations, emulate specific network and software settings, mimic the settings of known Wi-Fi access points, and bypass anti-fraud filters.
Such tools could have serious security implications as they open the door to a wide spectrum of crimes such as state-sponsored attacks, corporate espionage, dark web market operations, financial fraud, anonymous distribution of malware and even access to geo-tagged content.
“The ease of access to GEOBOX raises significant concerns within the cybersecurity community regarding its potential for widespread adoption among various threat actors,” Resecurity said.