Cybersecurity researchers have uncovered a new iteration of the JSOutProx malware, a sophisticated attack tool designed to target financial organizations across the Asia-Pacific (APAC) and Middle East-North Africa (MENA) regions.
First identified in 2019, JSOutProx combines JavaScript and .NET functionalities to infiltrate systems. This malware exploits the .NET (de)serialization feature to communicate with a JavaScript module on the victim’s machine, enabling the execution of various malicious activities.
Notably, a surge in JSOutProx activity was detected by the Resecurity team on February 8 2024, coinciding with a reported incident at a major Saudi Arabian system integrator targeting a regional bank’s customers.
Victims were lured via phishing emails impersonating legitimate entities, such as using a fake SWIFT payment notification. Resecurity assisted in retrieving malicious code artifacts and identifying the attack vectors.
According to an advisory published by the cybersecurity firm on Wednesday, most of the malicious payloads were hosted on GitHub repositories, with some first reported by independent researchers in November 2023. The malware’s creators, Solar Spider, is now employing masquerading techniques that disguise code as PDF files (instead of JS code).
Resecurity’s recent findings also indicate a shift to using GitLab instead of GitHub in the malware’s infection chain, with actors registering accounts to deploy repositories containing malicious payloads. The malware’s modular architecture allows it to execute various commands, including capturing screenshots and controlling system files.
The latest campaign also targeted government and financial institutions across multiple countries, suggesting a sophisticated operation with geopolitical implications. With the malware’s increasing sophistication and continuous development, there’s moderate confidence that it may originate from or have affiliations with actors in China.
Resecurity said its team has actively disrupted these campaigns, collaborating with platform operators to take down command-and-control (C2) servers. Despite efforts to thwart these attacks, JSOutProx remains a persistent and evolving threat.
“The discovery of the new version of JSOutProx, coupled with the exploitation of platforms like GitHub and GitLab, emphasizes these malicious actors’ relentless efforts and sophisticated consistency,” reads the advisory.
“This year, in a worrying expansion of scope, these threat actors have broadened their horizons in the MENA region, intensifying their cybercriminal footprint.”
The research findings and indicators of compromise associated with the recent JSOutProx campaigns underscore the urgency for enhanced cybersecurity measures and collaborative efforts to combat evolving cyber-threats effectively.
Image credit: rafapress / Shutterstock.com