JSOutProx's Phishing Operations Surge in Asia, Middle East, and Africa

A rise in the distribution of the Javascript backdoor malware named "JsOutProx" has prompted warnings from Visa, with supporting research from Resecurity highlighting the malware's targeting of financial services and organizations primarily in the APAC and MENA regions. Identified first in 2019, JsOutProx, a remote access trojan (RAT), has witnessed a notable increase in activity since February 2024. Initial links to the threat actor 'Solar Spider' were suggested, though no concrete evidence solidified this connection. Nevertheless, it is speculated that the malware may be associated with Chinese cyber espionage efforts. JsOutProx has evolved to employ deceptive techniques like double file extensions (e.g., jpg.zip, pdf.js, pdf.zip) and masquerading with crafty filenames (e.g., _pdf.hta, _xlsx.hta), targeting sectors such as government and financial services.

A security alert from Visa's Payment Fraud Disruption (PDF) unit, as detailed by BleepingComputer, has grave implications for the JSOutProx malware. The alerted phishing campaign has targeted financial institutions primarily in South and Southeast Asia, the Middle East, and Africa since March 27, 2024. JSOutProx enables a range of malicious activities, including executing shell commands, capturing screenshots, and taking control of the victim's device.

Resecurity's insights, pinpointing a surge in threat activity around February 8, 2024, were derived from numerous incident response engagements. The report specifies, "Multiple banking customers were targeted via an impersonation attack using the 'mike.will@my[.]com' email account. The actors employed a fake SWIFT payment notification (for enterprise customers) and a Moneygram template (for private customers), using misleading notifications to confuse victims and execute malicious code." Initially hosted on GitHub, newer samples of the malware have since appeared on GitLab as of March 27, 2024. Researchers note the meticulous management of these repositories, deleting old ones and creating new ones post-delivery, suggests a strategic approach to handling multiple malicious payloads and differentiating targets.

The collective reporting from Resecurity and BleepingComputer details a threat not only to the technical sophistication of JSOutProx but also to the strategic execution of its deployment. The malware's adaptation, from GitHub to GitLab for payload hosting, signifies an agile and persistent threat actor suggested to be associated with Chinese espionage efforts. The campaign's use of misleading financial notifications and deceptive obfuscation techniques indicates a well-organized effort to compromise sensitive information within financial and governmental systems.