Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023
Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023
Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Platform
Managed Security Services
Managed Penetration Testing
Rewterz penetration testing services help organizations determine if a cyber attacker can gain access to their critical assets while giving them detailed insights of the overall business impact of a cyber attack.
Resources
September 22, 2023
Severity High Analysis Summary Ducktail Malware is a malicious program designed by hackers to infiltrate computers and networks globally. Ducktail malware is typically delivered through a […]September 22, 2023
Severity Medium Analysis Summary First discovered in 2016, Revenge RAT is a remote access trojan (RAT) designed to give an attacker complete control over an infected […]September 22, 2023
Severity High Analysis Summary The Konni APT (Advanced Persistent Threat) group is a cyber espionage group that has been active since at least 2014. It is […]Threat Insights
Before Rewterz got its start, the market was in dire need of a specialized and dedicated information security company. It was nearly impossible for businesses to find a trustworthy provider that could truly cover all of their bases. We wanted to meet this need, giving companies across the globe a chance to get ahead while knowing that their data is in good hands.
Connect with Us
Rewterz Threat Advisory – CVE-2023-32445 – Apple Safari, watchOS, iOS, iPadOS, tvOS and macOS Ventura Vulnerability
August 1, 2023
Rewterz Threat Alert – GuLoader Malspam Campaign – Active IOCs
August 1, 2023
Severity
High
Analysis Summary
JSOutProx is an advanced attack framework that combines both JavaScript and .NET components. Its operation involves leveraging the .NET serialization feature to communicate with a core JavaScript file running on the victim’s machine. When the malware is executed on the victim’s system, the framework gains the ability to load various plugins that execute additional malicious activities.
Recently, in the context of monitoring threat campaigns related to the payments fraud disruptions, Visa PFD experts discovered a new malware sample associated with a known eCrime threat group. The campaign, known as JSOutProx Malware, came to their attention on 26th July 2023.
This threat group is specifically involved in phishing campaigns, targeting financial institutions in regions like Africa, the Middle East, South Asia, and Southeast Asia. The JSOutProx RAT Malware is a highly obfuscated JavaScript backdoor that was first identified in December 2019. Notably, it possesses modular plugin capabilities, enabling it to execute various malicious actions.
The capabilities of the JSOutProx RAT Malware include running shell commands, downloading and uploading files, manipulating the file system, establishing persistence on the infected system, taking screenshots, and manipulating keyboard and mouse events.
One distinct feature of this malware is its utilization of the Cookie header field during its command-and-control (C2) communication. During the initialization process, the malware gathers different types of information, which are then separated by the delimiter “|”, concatenated, hex encoded, and set within the Cookie header field.
Overall, this discovery highlights the ongoing sophistication and adaptability of eCrime threat groups, particularly in the context of targeting financial institutions across multiple regions. The use of highly obfuscated JavaScript backdoors and unique communication methods further demonstrates the need for heightened vigilance and cybersecurity measures in the payments ecosystem to counter such threats effectively.
Financial institutions in targeted regions are at significant risk of compromise due to JSOutProx’s advanced capabilities and adaptability. The malware’s stealthy execution and obfuscation make it difficult to detect and mitigate, allowing threat actors to conduct extended espionage campaigns against victims.
The JSOutProx threat underscores the ongoing evolution of eCrime threat groups and their ability to target financial institutions across diverse regions. By adopting proactive security measures and maintaining a high level of vigilance, organizations can effectively defend against this sophisticated malware and reduce the risk of compromise in the payments ecosystem.
Impact
- Sensitive Information Theft
- Financial Loss
- Remote Access
Indicators of Compromise
Domain Name
- vertexsuccess.com.my
- vijhantegamedforsea.ddns.net
- marcelbosgath.zapto.org
- ruppamoda.zapto.org
- mathepqo.serveftp.com
- protogoo.ddnsking.com
- uloibdrupain.hopto.org
- gensamogh.myq-see.com
MD5
- 44987e2cb2f7bb10447aa5a7e61341c9
- 3f686b0caf6863544e8cda4be2218dfd
- ee761c9da8578742cc6df6555395ec66
- 3c9f664193958e16c9c89423aefcb6c8
- 48adcbbc3ec003101b4a2bb0aa5a7e01
- 5d16911fe4bcc7d6a82c79b88e049af2
- 0b9b2bf97ce805ca5930966fb4da967a
- 5b2b4f989f684e265b03f8334576a20c
- bec6094a74e102a8d18630ee0eb053e3
- 988d384c68c95d28e67d6b8edaf2ebe5
- 5111740d2eb8a8201231cb0e312db88a
- 06396c2f1ac27f7a453d9461ad1af8a6
SHA-256
- 170e53177814ecd923f62ab4b4b9e0b05ab1b34b49f17c68ec04cd9ac626bc6e
- 50bf65ac491472c122a90dd2eb1c4f89d77734fba5cb72a5982fafea67b2b862
- 7827e79a2dd429d887c132c379b517d8e69578776fbd8a3951242fdf4263a26b
- 826fd121cc5a549b5010843c6b0a064782f15fc367a16482e98af1c7358574f1
- 77a1e666fced63fc157a24c41f7a4a4de23b520cb03799f264daff10aa5ea713
- 2ea9074aa7b6bdd9175c01028f02e5036ba8dc39a373ca7eef367aa016008b3d
- 4a8104ac7432fec3409e70b336511f5863209cca9271d6e81396463afa66a18c
- 971586970c365016f8017275748a1d3740d6a38adb1f52269cd223fb833f58f1
- 698ced4170469c3084afbb0e21778477360d2ac10fb93b33ee3011870c7ca089
- ac7ae2843bcd80256cdb23e061d82be74b5c68cd1a8035ac4a63584e89e0040d
- 615f4d91510d3dbb1c199bc2d953110c93531d7a5ea3f0925f3e06e3773c2d88
- 67aae99fb04275d1e4987e7989171361bc29a8745e72d6b4bf4edbc8e16808db
SHA-1
- 7a5c10fd3efcaa25575a23a4454023950dfad233
- e80db63b8251bb34a3a429e53376d9bfb40c6057
- e5de8f5ea74438496cda925fdbffa7f5bcc1f1d3
- b5747d9c6bd96e100dcac982c323279e8135f5e5
- fe1c2cbd9efc2d853beca16a12fd924bb0cad1c2
- cfd28a153ef2d5cb384020924cb3083d5882b9d5
- ca14beb08d0034be0c850910d0c0b937fb505c11
- 3a36ea17e46f1a610a7598450b86520b65d92b82
- 93db59b951ffb575e19e073285053522e2f4728f
- a9306578b42c5846d8a04b843ac609608d8afb27
- 48f5d28ec29b34945798f4ff754d39d8983a444c
- b9d982db0d9d4507126d3df194768c4233a4d8a3
Remediation
- Educate all employees about the risks of phishing emails and unsolicited, suspicious correspondence. Train them on best practices for identifying and handling potential threats.
- Ensure that remote access is well-protected with strong passwords and restricted to authorized individuals only. Employ two-factor authentication to add an extra layer of security for remote sessions.
- Ensure that endpoint security solutions, including antivirus and anti-malware software, are up-to-date.
- Enable EMV and other secure acceptance technologies for in-person and e-commerce payments, such as contactless, mobile payments, tokenization, 3D Secure, and QR codes.
- Provide each administrator user with unique credentials. Ensure that user accounts are granted only the necessary permissions essential for their specific job responsibilities.
- Regularly apply security patches and updates to operating systems and software to mitigate known vulnerabilities.
- Employ behavioral analysis tools to detect anomalous activities and behavior indicative of malware presence.
- Monitor network traffic for suspicious connections and establish comprehensive system and network event logging to quickly detect and respond to potential threats.
- Maintain a robust patch management program to ensure that all software and hardware firmware are up-to-date with the latest releases. Regularly update to minimize the attack surface for potential zero-day vulnerabilities.
- Maintain a robust monitoring system and a well-defined incident response plan to detect and respond promptly to potential security incidents.