The sophisticated threat group behind a complex JavaScript remote access Trojan (RAT) known as JSOutProx has released a new version of the malware to target organizations in the Middle East.
Cyber security services firm Resecurity has analyzed the technical details of several incidents involving the JSOutProx malware that targets financial customers and provides a fake SWIFT payment notification if it targets a business or a MoneyGram model if it targets targets private citizens, the company wrote in a report released this week. The threat group has targeted government organizations in India and Taiwan, as well as financial organizations in the Philippines, Laos, Singapore, Malaysia, India – and now Saudi Arabia.
The latest version of JSOutProx is a very flexible and well-organized program from a development perspective, allowing attackers to customize its functionality for the victim’s specific environment, says Gene Yoo, CEO of Resecurity.
“This is a multi-stage malware implant with multiple plug-ins,” he says. “Depending on the victim’s environment, it enters directly and then bleeds them dry or poisons the environment, depending on which plugins are enabled.”
The attacks are the latest campaign by a cybercriminal group known as Solar Spider, which appears to be the only group using the JSOutProx malware. Based on the group’s objectives, typically organizations in India, but also in Asia-Pacific, Africa and Regions of the Middle East — is probably linked to China, Resecurity said in its analysis.
“By defining the targets and some details we got in the infrastructure, we suspect that it is linked to China,” says Yoo.
“Highly Obfuscated… Modular Plugin”
JSOutProx is well known in the financial industry. Visa, for example, documented campaigns using the attack tool in 2023, including one against several banks in the Asia-Pacific region, the company said in its semi-annual threat report released in December.
Remote Access Trojan (RAT) is a highly obfuscated JavaScript backdoor, which has modular plugin functionality, can execute shell commands, download, upload and execute files, manipulate the file system, establish persistence, take screenshots, and manipulate keyboard and mouse. events,” Visa said in its report. “These unique characteristics allow the malware to evade detection by security systems and obtain a variety of sensitive financial and payment information from targeted financial institutions.
JSOutProx is typically viewed as a PDF file of a financial document in a zip archive. But it is actually JavaScript that is executed when a victim opens the file. The first phase of the attack collects system information and communicates with obfuscated command and control servers via dynamic DNS. The second phase of the attack downloads any of approximately 14 plugins to conduct further attacks, including accessing the user’s Outlook and contact list and enabling or disabling proxies on the system.
The RAT downloads plugins from GitHub – or, more recently, GitLab – to appear legitimate.
“The discovery of the new version of JSOutProx, along with the exploitation of platforms like GitHub and GitLab, highlights the relentless efforts and sophisticated consistency of these malicious actors,” Resecurity said in its analysis.
Monetization of Middle East financial data
Once Solar Spider compromises a user, attackers collect information, such as primary account numbers and user credentials, and then conduct a series of malicious actions against the victim, according to Visa’s threat report.
“The JSOutProx malware poses a serious threat to financial institutions around the world, and particularly those in the AP region as such entities have been targeted most frequently by this malware,” the Visa report states.
Companies should train employees on how to handle unsolicited and suspicious correspondence to mitigate the malware threat, Visa said. Furthermore, any instances of the malware must be thoroughly investigated and resolved to prevent reinfection.
Larger companies and government agencies are more likely to be attacked by the group because Solar Spider has its sights set on the most successful companies, says Resecurity’s Yoo. In most cases, however, companies do not need to take threat-specific measures, but instead focus on in-depth defense strategies, he says.
“The user should focus not on looking at the shiny object in the sky, like the Chinese are attacking, but on what he needs to do is create a better base,” says Yoo. “Have good patching, network segmentation, and vulnerability management. If you do that, none of that” would likely impact your users.