HQ/EMEAFind out how we can help your business
Visa has published a warning regarding numerous detections of a new variant of the JSOutProx malware. Based on reports, the new variant now targets financial organisations and VISA clientele.
Parties that received the alert posted by Visa’s Payment Fraud Disruption (PDF) units include card issuers, processors, and acquirers. The malicious campaign is allegedly a new phishing operation that deploys remote access trojan as of March 27, 2024.
Moreover, this attack targeted South and Southeast Asian, Middle Eastern, and African financial institutions.
The JSOutProx malware is a RAT that emerged in 2019.
The JSOutProx malware functions as a remote access trojan (RAT). It employs highly obscured JavaScript as a backdoor that could allow its operators to run shell commands, download supplementary payloads, execute files, capture screenshots, establish persistence on the infected device, and manipulate keyboards and mice remotely.
Although the primary mission of the new malware campaign remains a mystery, Visa’s alert suggests that operators may have previously targeted financial institutions to engage in fraudulent activities.
In addition, separate research has detailed the intricacies of the JSOutProx phishing operation. It explains that the malware operators have refined their latest version to enhance evasion tactics since they have now utilised GitLab to host their payloads.
The observed attacks on banking customers involve fake financial notifications sent via emails posing as legitimate institutions, presenting recipients with bogus SWIFT or MoneyGram payment alerts.
Attached to these emails are ZIP files containing .js archives that, upon execution, retrieve the malicious JSOutProx payloads from a GitLab repository. The initial phase of the JSOutProx payload supports various commands, allowing the attackers to execute basic functionalities.
The subsequent stage introduces additional plugins that significantly extend the malicious activities surrounding the manipulation of internet traffic, clipboard content theft, DNS and proxy settings alteration, system access modification, and OTP theft to bypass 2FA protections.
Although researchers attributed JSOutProx to a threat actor dubbed ‘Solar Spider’ earlier this year, the latest campaign lacks evidence. Therefore, VISA holders and financial institutions should fortify their defences and teach their clients to be more careful about these campaigns to avoid unwanted issues, such as data theft, fraud, and scams.
