New Wave of JSOutProx Malware Targets Financial Institutions in APAC and MENA

Financial organizations in the Asia-Pacific (APAC) and Middle East and North Africa (MENA) regions are facing a new threat in the form of JSOutProx malware, which has been described as an “evolving threat” by cybersecurity firm.

JSOutProx is a sophisticated attack framework that combines JavaScript and .NET technologies. It uses .NET (de)serialization to interact with a core JavaScript module on the victim’s machine. Once executed, the malware can load various plugins to carry out additional malicious activities.

Initially identified in December 2019, early attacks involving JSOutProx were attributed to a threat actor known as Solar Spider, who has targeted banks and large companies in Asia and Europe. Subsequent attacks have targeted employees of small finance banks in India and Indian government establishments.

The malware is typically distributed through spear-phishing emails containing malicious JavaScript attachments disguised as PDFs or ZIP archives containing rogue HTA files. These attachments deploy the heavily obfuscated implant, enabling the malware to perform various operations such as data exfiltration, file system operations, and offensive capabilities.

JSOutProx is also capable of harvesting a wide range of information from compromised hosts, controlling proxy settings, capturing clipboard content, accessing Microsoft Outlook account details, and retrieving one-time passwords from Symantec VIP. It uses the Cookie header field for command-and-control (C2) communications.

Recent attacks involve the use of fake SWIFT or MoneyGram payment notifications to trick email recipients into executing the malicious code. These attacks have seen a significant increase starting February 8, 2024.

The malware artifacts have been observed hosted on GitHub and GitLab repositories, which are subsequently blocked and taken down by the actors. This tactic allows the actors to manage multiple malicious payloads and differentiate targets.

While the exact origins of the group behind JSOutProx are unknown, researcher suggests that the victimology distribution of the attacks and the sophistication of the implant indicate a possible connection to China or affiliated groups.

The use of JSOutProx poses a serious threat to financial entities, as the stolen payment information can be used for fraudulent transactions or sold on underground forums for profit.

In addition to the JSOutProx malware, cybercriminals are promoting a new software called GEOBOX on the dark web. GEOBOX repurposes Raspberry Pi devices for fraud and anonymization purposes, allowing operators to spoof GPS locations, emulate specific network settings, and bypass anti-fraud filters.

This tool could have serious security implications, enabling a range of crimes such as state-sponsored attacks, corporate espionage, financial fraud, and the distribution of malware. The ease of access to GEOBOX raises concerns about its potential widespread adoption among threat actors.

To protect financial firms from the JSOutProx malware and similar threats, it’s crucial to implement multi-layered security measures. Use network segmentation to limit the spread of malware in case of a breach. Employ email filtering solutions to block phishing emails and malicious attachments. Additionally, the organization should conduct regular security audits and penetration testing to identify and address vulnerabilities.