Rewterz Threat Alert – Latest Update Regarding JSOutProx Malware and Its Impact on Financial Institutions – Active IOCs

Severity

High

Analysis Summary

JSOutProx is an advanced attack framework that combines both JavaScript and .NET components. Its operation involves leveraging the .NET serialization feature to communicate with a core JavaScript file running on the victim’s machine. When the malware is executed on the victim’s system, the framework gains the ability to load various plugins that execute additional malicious activities.

Recently, in the context of monitoring threat campaigns related to the payments fraud disruptions, Visa PFD experts discovered a new malware sample associated with a known eCrime threat group. The campaign, known as JSOutProx Malware, came to their attention on 29 September 2023. They first became aware of a similar campaign on July 26, 2023.

This threat group is specifically involved in phishing campaigns, targeting financial institutions in regions like Africa, the Middle East, South Asia, and Southeast Asia. The JSOutProx RAT Malware is a highly obfuscated JavaScript backdoor that was first identified in December 2019. Notably, it possesses modular plugin capabilities, enabling it to execute various malicious actions.

The capabilities of the JSOutProx RAT Malware include running shell commands, downloading and uploading files, manipulating the file system, establishing persistence on the infected system, taking screenshots, and manipulating keyboard and mouse events.

One distinct feature of this malware is its utilization of the Cookie header field during its command-and-control (C2) communication. During the initialization process, the malware gathers different types of information, which are then separated by the delimiter “|”, concatenated, hex encoded, and set within the Cookie header field.

Overall, this discovery highlights the ongoing sophistication and adaptability of eCrime threat groups, particularly in the context of targeting financial institutions across multiple regions. The use of highly obfuscated JavaScript backdoors and unique communication methods further demonstrates the need for heightened vigilance and cybersecurity measures in the payments ecosystem to counter such threats effectively.

Financial institutions in targeted regions are at significant risk of compromise due to JSOutProx’s advanced capabilities and adaptability. The malware’s stealthy execution and obfuscation make it difficult to detect and mitigate, allowing threat actors to conduct extended espionage campaigns against victims.

The JSOutProx threat underscores the ongoing evolution of eCrime threat groups and their ability to target financial institutions across diverse regions. By adopting proactive security measures and maintaining a high level of vigilance, organizations can effectively defend against this sophisticated malware and reduce the risk of compromise in the payments ecosystem.

Note: The report’s indicators of compromise are sourced from a regulatory body.

Impact

• Sensitive Information Theft
• Financial Loss
• Remote Access

Indicators of Compromise

IP

79.134.225.55

Domain Name

dhomniyouhddamager.ddns.net

MD5

• 35d385cbcdbdafe27c371d650886a057
• 366d35c14d9b4950e35e8c7b9a27c7e5
• f42394c9c119d04558ff1a3d3bafe138
• 7d23a33be90d25579c1ff073b268ebd4
• b2e4b4573c0e56ecfd088bba1b22d86e

SHA-256

• 89222a24f65aaf006997da5ba22a23bce23eb4042a7edb7b7c09e33badaa2a5f
• ad1b43d87ef85b197882dbbce6fddccc95c3696e32e6cae18891fc4f70804d7a
• 5b8a22a04f4b975d0ed0c41fd11f681aff14bae4df1cfb9ae71338a865edc1df
• a5f933ed73ea2ba4b84f448e1609c148c62dde461c46fbffddbd3ef58ca445c3
• cee55e0b059f5dba852a70cd20430c1f194ab4596db3516251a3ad40143dd966

SHA-1

• 173f7265ff37591d067049759c983be342f10380
• 22f454da20e874e8eb6ff424ade89f165d179dcf
• ac1d7a772f513b6e587fba970e36c8f3f24c8719
• b8fc841a193ec16ca3322a507d8dab6fe5ce4b95
• 498d4d3800cf17b9377a0968eaab8711d5b6284a

URL

• https://github.com/fctza/remittance/raw/main/TT_REF_09262023_jpg.zip
• https://github.com/fctza/remittance/blob/main/transfast_receipt_jpg.zip
• https://raw.githubusercontent.com/fctza/remittance/main/SWIFT_MT103_pdf.zip
• https://github.com/fctza/remittance/raw/main/SWIFT_MT103_pdf.zip

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Educate all employees about the risks of phishing emails and unsolicited, suspicious correspondence. Train them on best practices for identifying and handling potential threats.
• Ensure that remote access is well-protected with strong passwords and restricted to authorized individuals only. Employ two-factor authentication to add an extra layer of security for remote sessions.
• Ensure that endpoint security solutions, including antivirus and anti-malware software, are up-to-date.
• Enable EMV and other secure acceptance technologies for in-person and e-commerce payments, such as contactless, mobile payments, tokenization, 3D Secure, and QR codes.
• Provide each administrator user with unique credentials. Ensure that user accounts are granted only the necessary permissions essential for their specific job responsibilities.
• Regularly apply security patches and updates to operating systems and software to mitigate known vulnerabilities.
• Employ behavioral analysis tools to detect anomalous activities and behavior indicative of malware presence.
• Monitor network traffic for suspicious connections and establish comprehensive system and network event logging to quickly detect and respond to potential threats.
• Maintain a robust patch management program to ensure that all software and hardware firmware are up-to-date with the latest releases. Regularly update to minimize the attack surface for potential zero-day vulnerabilities.
• Maintain a robust monitoring system and a well-defined incident response plan to detect and respond promptly to potential security incidents.