By NewsBlogger A new wave of cyber threats targeting financial institutions in the Asia-Pacific, Middle East, and North Africa regions involves the JSOutProx malware. This malware utilizes JavaScript and .NET to carry out sophisticated attacks. Recent incidents linked to Solar Spider and Resecurity revealed fake payment notifications and phishing campaigns.
At a glance
- JSOutProx cyber threat targeting financial institutions in APAC and MENA regions
- Utilizes JavaScript and .NET for attacks, first identified by Yoroi in December 2019
- Recent attacks by Solar Spider targeting employees of small finance banks in India
- JSOutProx is a fully functional Remote Access Trojan with various plugins for data exfiltration.
- Malware capabilities include harvesting sensitive information, manipulating proxy settings, and accessing Microsoft Outlook details.
The details
A new wave of cyber threats targets financial institutions in the Asia-Pacific (APAC) and Middle East and North Africa (MENA) regions through a sophisticated attack framework known as JSOutProx.
This evolving threat, first identified in December 2019 by Yoroi, utilizes a combination of JavaScript and .NET to carry out attacks.
The early attacks distributing JSOutProx have been linked to a threat actor named Solar Spider.
Recent Attacks
Recent attacks detailed by Quick Heal Security Labs have shown that the malware is being used to target employees of small finance banks in India.
The attack chains involve spear-phishing emails with malicious JavaScript attachments disguised as PDFs and ZIP archives containing rogue HTA files, which deploy the heavily obfuscated implant.
JSOutProx is a fully functional Remote Access Trojan (RAT) implemented in JavaScript, with various plugins for data exfiltration, file system operations, and offensive capabilities.
Malware Capabilities
The malware can harvest a wide range of sensitive information, manipulate proxy settings, capture clipboard content, access Microsoft Outlook account details, and gather one-time passwords from Symantec VIP. It uses the Cookie header field for command-and-control (C2) communications.
The latest documented attacks by Resecurity involve the use of fake SWIFT or MoneyGram payment notifications to trick email recipients into executing the malicious code.
Artifacts related to JSOutProx have been observed on GitHub and GitLab repositories, which have since been blocked and taken down.
The exact origins of the e-crime group behind the malware remain unknown.
In a separate development, an updated version of the Rhadamanthys malware is being utilized in phishing campaigns targeting the oil and gas sector.
Phishing emails with a unique vehicle incident lure spoof the Federal Bureau of Transportation in a PDF, containing a malicious link leading to a ZIP archive with the stealer payload.
Rhadamanthys, written in C++, establishes connections with a command-and-control server to harvest sensitive data.
A variant of Rhadamanthys was found bundled with a leaked LockBit payload, clipper malware, and a cryptocurrency miner.
Furthermore, new stealer malware families such as Sync-Scheduler and Mighty Stealer are emerging, while existing strains like StrelaStealer are evolving with improved obfuscation and anti-analysis techniques.
A malspam campaign targeting Indonesia is spreading Agent Tesla malware to steal sensitive information, with phishing campaigns also targeting Australia and the U.S., attributed to threat actors of African origin.
Additionally, research has uncovered a vulnerability in the HTTP/2 protocol related to the CONTINUATION frame that can be exploited for denial-of-service (DoS) attacks.
Dubbed the HTTP/2 CONTINUATION Flood, the vulnerability allows an attacker to send a stream of CONTINUATION frames, potentially causing an out-of-memory (OOM) crash.
Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream, making them susceptible to exploitation.
The CERT Coordination Center (CERT/CC) was informed of the issue on January 25, 2024. The vulnerability is considered more severe than the Rapid Reset attack and involves incorrect handling of HEADERS and multiple CONTINUATION frames.
Users are advised to upgrade affected software or consider temporarily disabling HTTP/2 on their servers to mitigate potential threats.
Article X-ray
Sources
Here are all the sources used to create this article:
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| thehackernews.com |
|---|
| – Financial organizations in the Asia-Pacific (APAC) and Middle East and North Africa (MENA) are being targeted by a new version of an evolving threat called JSOutProx – JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET – First identified in December 2019 by Yoroi, early attacks distributing JSOutProx have been attributed to a threat actor tracked as Solar Spider – Quick Heal Security Labs detailed attacks leveraging the remote access trojan (RAT) to single out employees of small finance banks from India – Attack chains leverage spear-phishing emails bearing malicious JavaScript attachments masquerading as PDFs and ZIP archives containing rogue HTA files to deploy the heavily obfuscated implant – JSOutProx has various plugins to perform operations such as exfiltration of data, performing file system operations, and offensive capabilities – The malware can harvest information, control proxy settings, capture clipboard content, access Microsoft Outlook account details, and gather one-time passwords from Symantec VIP – JSOutProx uses the Cookie header field for command-and-control (C2) communications – JSOutProx is a fully functional RAT implemented in JavaScript – The latest set of attacks documented by Resecurity entails using fake SWIFT or MoneyGram payment notifications to trick email recipients into executing the malicious code – Artifacts have been observed hosted on GitHub and GitLab repositories, which have since been blocked and taken down – The exact origins of the e-crime group behind the malware are presently unknown – Cyber criminals are promoting on the dark web new software called GEOBOX that repurposes Raspberry Pi devices for conducting fraud and anonymization – GEOBOX allows operators to spoof GPS locations, emulate specific network and software settings, mimic settings of known Wi-Fi access points, and bypass anti-fraud filters – GEOBOX raises significant concerns within the cybersecurity community about its potential for widespread adoption among various threat actors. |
| thehackernews.com |
|---|
| – An updated version of Rhadamanthys malware is being used in phishing campaigns targeting the oil and gas sector – Phishing emails use a unique vehicle incident lure and spoof the Federal Bureau of Transportation in a PDF – The email contains a malicious link that leads to a ZIP archive with the stealer payload – Rhadamanthys is written in C++ and establishes connections with a command-and-control server to harvest sensitive data – A Rhadamanthys variant was bundled with a leaked LockBit payload, clipper malware, and cryptocurrency miner – New stealer malware families like Sync-Scheduler and Mighty Stealer are emerging – Existing strains like StrelaStealer are evolving with improved obfuscation and anti-analysis techniques – A malspam campaign targeting Indonesia is spreading Agent Tesla malware to steal sensitive information – Agent Tesla phishing campaigns have targeted Australia and the U.S., attributed to two African-origin threat actors – The Agent Tesla malware is distributed via attack chains secured by the Cassandra Protector – Messages are sent via an open-source webmail tool called RoundCube – Check Point noted that conducting cyber crime operations with these malware families does not require advanced technical knowledge – The low-entry level threshold allows anyone to conduct cyber crime operations through spam campaigns. |
| thehackernews.com |
|---|
| – New research has identified that the CONTINUATION frame in the HTTP/2 protocol can be exploited for denial-of-service (DoS) attacks – The technique has been named HTTP/2 CONTINUATION Flood by security researcher Bartek Nowotarski – CERT Coordination Center (CERT/CC) was informed of the issue on January 25, 2024 – Many HTTP/2 implementations do not properly limit or sanitize the amount of CONTINUATION frames sent within a single stream – An attacker can send a stream of CONTINUATION frames that may cause an out of memory (OOM) crash – HTTP/2 uses header fields within requests and responses, which can be serialized and broken into header blocks – The CONTINUATION frame is used to continue a sequence of header block fragments – The last frame containing headers will have the END_HEADERS flag set – CONTINUATION Flood is considered more severe than the Rapid Reset attack – The vulnerability involves incorrect handling of HEADERS and multiple CONTINUATION frames – An attacker can create a never-ending stream of headers that the HTTP/2 server needs to parse and store in memory – Impacts of the vulnerability range from instant crashes to CPU exhaustion – Several projects are affected by this issue – Users are advised to upgrade affected software or consider temporarily disabling HTTP/2 on the server to mitigate potential threats |
