Financial organizations in the Asia-Pacific (APAC) and Middle East and North Africa (MENA) are being targeted by a new version of an “evolving threat” called JSOutProx.
“JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET,” Resecurity said in a technical report published this week.
“It employs the .NET (de)serialization feature to interact with a core JavaScript module running on the victim’s machine. Once executed, the malware enables the framework to load various plugins, which conduct additional malicious activities on the target.”
First identified in December 2019 by Yoroi, early attacks distributing JSOutProx have been attributed to a threat actor tracked as Solar Spider. The operations track record of striking banks and other big companies in Asia and Europe.
In late 2021, Quick Heal Security Labs detailed attacks leveraging the remote access trojan (RAT) to single out employees of small finance banks from India. Other campaign waves have taken aim at Indian government establishments as far back as April 2020.
The artifacts have been observed hosted on GitHub and GitLab repositories, which have since been blocked and taken down.
“Once the malicious code has been successfully delivered, the actor removes the repository and creates a new one,” the cybersecurity company said. “This tactic is likely related to the actor uses to manage multiple malicious payloads and differentiate targets.”
The development comes as cyber criminals are promoting on the dark web new software called GEOBOX that repurposes Raspberry Pi devices for conducting fraud and anonymization.
Offered for only $80 per month (or $700 for a lifetime license), the tool allows the operators to spoof GPS locations, emulate specific network and software settings, mimic settings of known Wi-Fi access points, as well as bypass anti-fraud filters.
Such tools could have serious security implications as they open the door to a broad spectrum of crimes like state-sponsored attacks, corporate espionage, dark web market operations, financial fraud, anonymous distribution of malware, and even access to geofenced content.
Source: https://thehackernews.com/
