Friday, April 5, 2024

Visa Warns of Rising Threat from New JsOutProx Malware Targeting Financial Institutions

 Visa has issued a warning regarding a surge in detections of a new variant of the JsOutProx malware, posing a significant threat to financial institutions and their customers.


According to a security alert from Visa's Payment Fraud Disruption (PDF) unit, distributed to card issuers, processors, and acquirers, the company became aware of a fresh phishing campaign distributing the remote access trojan on March 27, 2024. This campaign specifically targeted financial institutions across South and Southeast Asia, the Middle East, and Africa.


JsOutProx, initially encountered in December 2019, is a highly obfuscated JavaScript backdoor and remote access trojan (RAT). It enables threat actors to execute shell commands, download additional payloads, capture screenshots, establish persistence on infected devices, and manipulate keyboard and mouse controls.



While Visa's Payment Fraud Disruption unit could not ascertain the exact objectives of the recent malware campaign, it's suspected that the eCrime group behind it may have previously targeted financial institutions for fraudulent activities.


The security alert shares indicators of compromise (IoCs) linked to the latest campaign and advises several mitigation measures, including enhancing awareness of phishing risks, implementing secure acceptance technologies, securing remote access, and monitoring for suspicious transactions.


A related report by Resecurity provides further insights into the JSOutProx phishing operation, noting that the malware's latest version utilizes GitLab to host its payloads. In attacks against banking customers, malicious actors send fabricated financial notifications via email, impersonating legitimate institutions and presenting recipients with fake SWIFT or MoneyGram payment notifications.


These emails contain ZIP archives with .js files, which, when executed, download the malicious JSOutProx payloads from a GitLab repository.


The JSOutProx implant's capabilities range from basic functionalities in the first stage to more advanced features in the second stage. These include adjusting proxy settings, stealing sensitive data like passwords, modifying registry settings, and bypassing two-factor authentication protections.


Resecurity suggests that while early operations of JSOutProx were attributed to a threat actor known as 'Solar Spider,' the recent campaign lacks definitive attribution. However, based on the attacks' sophistication and target profiles, analysts estimate with moderate confidence that JSOutProx is operated by Chinese or China-affiliated threat actors.


This warning underscores the critical need for heightened cybersecurity measures, particularly within the financial sector, to combat evolving threats like JsOutProx and safeguard sensitive information from malicious actors.

0 comments:

Post a Comment