Novel RAT, JsOutProx, Used to Attack Asia-based Financial and Government Agencies
FortiGuards Labs recently discovered a new malicious campaign targeting verticals in Asian governmental monetary and financial sectors. The threat actors behind this campaign pose as a central bank of an Asian nation in order to compel victims to open a compressed attachment that ultimately contains malicious JavaScript code.
The attachment contains a malicious HTA (HTML Application) file, that, once executed, contains heavily obfuscated JavaScript code that ultimately installs a remote access trojan. Unique to this type of attack is the attacker’s use of JsOutProx, which is a fully functional JavaScript remote access trojan (RAT) first discovered in December of 2019. The tactics, techniques, and procedures of the attackers behind JsOutProx indicate that these are experienced and sophisticated threat actors. Such indicators include the time and effort the attackers have taken to create this RAT, as well as regular updates that have made it more powerful. The actors also use specially crafted social engineering campaigns that leverage specific technical jargon unique to the verticals being targeted in their spear phishing efforts. JsOutProx also utilizes heavily obfuscated code and the use of PowerShell to achieve their goals.
Not much is known about JsOutProx as campaigns utilizing the RAT have been few over the last year. First discovered by the YOROI team in December 2019, the malware family was used in another campaign discovered by the ZScaler team in May 2020 and was reportedly use to infect both governmental and financial institutes in India.
Sources: