Pierluigi Paganini
April 03, 2024
Resecurity has detected a new version of JSOutProx, which is targeting financial services and organizations in the APAC and MENA regions. JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET. It employs the .NET (de)serialization feature to interact with a core JavaScript module running on the victim’s machine. Once executed, the malware enables the framework to load various plugins, which conduct additional malicious activities on the target. This malware was first identified in 2019 and was initially attributed to SOLAR SPIDER’s phishing campaigns, which delivered the JSOutProx RAT to financial institutions across Africa, the Middle East, South Asia, and Southeast Asia.
The spike in this activity was identified around February 8, 2024, when a major system integrator based in the Kingdom of Saudi Arabia reported an incident targeting customers of one of their major banks in the region. Resecurity assisted multiple victims in acquiring relevant malicious code artifacts as a result of Digital Forensics & Incident Response (DFIR) engagement and helped recover the payload. In the most recent episode on April 2, 2024, multiple banking customers were targeted through an impersonation attack. The actors employed a fake SWIFT payment notification (for enterprise customers) and a Moneygram template (for private customers), using misleading notifications to confuse victims and execute malicious code.
The discovery of the new version of JSOutProx, coupled with the exploitation of platforms like GitHub and GitLab, emphasizes the relentless efforts and sophisticated consistency of these malicious actors. Marking its 5-year anniversary, JSOutProx continues to be a significant and evolving threat, especially to customers of financial institutions. In a worrying expansion of scope, this year has seen these threat actors broaden their horizons to the MENA region, thereby intensifying their cybercriminal footprint. As these threats escalate in complexity and reach, Resecurity remains vigilant in its pursuit to track JSOutProx and safeguard financial institutions and their customers globally from such nefarious activities.
Additional technical details are available in the report published by Resecurity:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Linux)
