Financial Institutions in Asia and Middle East Hit by Evolving JSOutProx Malware Campaign

JSOutProx
The most recent malware payloads

A dangerous new wave of attacks employing a revamped version of the JSOutProx remote access trojan (RAT) is sweeping through the Asia-Pacific (APAC) and Middle East and North Africa (MENA) regions. Cybersecurity firm Resecurity has released a detailed report exposing the ongoing campaign, highlighting its advanced capabilities and the threat actor’s tactical evolution.

JSOutProx is not a newcomer to the cyber threat landscape. First identified in 2019, it was linked to SOLAR SPIDER’s phishing campaigns, primarily targeting financial institutions across Africa, the Middle East, South Asia, and Southeast Asia. This malware employs a .NET (de)serialization feature to interact with a core JavaScript module on the victim’s machine, enabling it to load various plugins that conduct additional malicious activities.

The most recent malware payloads

A notable shift in the malware’s operation was observed around February 8, 2024, when a system integrator in the Kingdom of Saudi Arabia reported an incident targeting customers of a major regional bank. Resecurity traced the malware’s deployment to GitLab, where actors had registered multiple accounts to host their malicious payloads, a strategic move from previously using GitHub. This method allows for a swift removal and recreation of repositories, aiding in evading detection while managing multiple malicious payloads.

Upon execution, JSOutProx can perform a variety of malicious tasks, including executing shell commands, handling file uploads and downloads, and capturing screenshots, among others. It utilizes complex obfuscation and a modular plugin architecture to remain undetected. A distinctive feature is its use of the Cookie header field in command and control (C2) communications, making its tracking and mitigation a challenging task for cybersecurity teams.

Before its recent activities in the APAC and MENA regions, JSOutProx had been implicated in targeted attacks against Indian Cooperative Banks and Finance Companies. Its sophistication and targeting of financial institutions suggest it could be the work of actors affiliated with China, given the profile of the targets and the geographic scope of past attacks.

JSOutProx has a history of targeting the Indian financial sector. This latest campaign demonstrates the malware’s ongoing evolution and its use to compromise organizations in a much broader geographical scope. It underscores the importance of constant vigilance and the need for proactive security measures to defend against such sophisticated and targeted attacks.