Financial organizations in the Asia-Pacific (APAC) and Middle East and North Africa (MENA) are under siege by a new cybersecurity threat known as JSOutProx. Resecurity, in a recent technical report, described JSOutProx as a sophisticated attack framework that combines JavaScript and .NET to carry out malicious activities on victims’ machines.
Initially discovered in December 2019 by Yoroi, JSOutProx has been linked to Solar Spider, a threat actor with a history of targeting banks and major companies in Asia and Europe. Recent attacks have focused on small finance banks in India and government establishments, using spear-phishing emails with malicious JavaScript attachments.
The malware, which acts as a remote access trojan (RAT), can exfiltrate data, manipulate files, control proxy settings, and access sensitive information like Microsoft Outlook account details and Symantec VIP passwords. A unique aspect of JSOutProx is its use of the Cookie header field for command-and-control communications.
Resecurity reported a surge in JSOutProx attacks starting February 8, 2024, with cyber criminals distributing fake payment notifications to trick recipients into executing the malicious code. The attackers have been hosting the malware on GitHub and GitLab repositories before taking them down and creating new ones to avoid detection.
While the exact origins of the e-crime group behind JSOutProx remain unknown, Resecurity believes they may have connections to China. This development coincides with the emergence of GEOBOX, a new tool on the dark web that repurposes Raspberry Pi devices for fraudulent activities.
The cybersecurity community is concerned about the widespread adoption of GEOBOX, as it could enable various threat actors to engage in state-sponsored attacks, financial fraud, and other illegal activities. The evolution of cyber threats like JSOutProx and tools like GEOBOX underscores the importance of robust cybersecurity measures for organizations in the financial sector.