A new phishing campaign targets Visa. The company is alerting users about an increase in JsOutProx malware detections, which is aimed at financial institutions and their clients.
As per BleepingComputer, in the security alert released by their Payment Fraud Disruption unit, Visa says they became aware of the campaign distributing the remote access trojan (RAT) on the 27th of March. The alert was sent to card issuers, processors, and acquirers.
The campaign targeted financial institutions in South and Southeast Asia, the Middle East, and Africa.
JsOutProx is a trojan and highly obfuscated JavaScript backdoor that allows its operators to run shell commands, download payloads, execute files, capture screenshots, establish persistence on the infected device, and control the keyboard and mouse of affected endpoints.
While PFD could not confirm the ultimate goal of the recently identified malware campaign, this eCrime group may have previously targeted financial institutions to conduct fraudulent activity.
Visa Security Alert (Source)
The alert offers indications of compromise (IoCs) pertaining to the most recent campaign and suggests a number of mitigating measures, such as educating people about the dangers of phishing, turning on secure acceptance and EMV, safeguarding remote access, and keeping an eye out for unusual transactions.
Details About the JSOutProx Operation
The newest version of the malware now uses GitLab to host its payloads. Researchers observed in the recent attacks that JSOutProx delivers fake financial notifications to its targets via email. The emails impersonate legitimate institutions.
In its first stage, JSOutProx provides a number of instructions that allow attackers to carry out fundamental tasks like upgrading the implant, controlling its sleep duration for operational discretion, running processes, and quitting the implant as required.
The second stage adds new plugins that greatly increase the scope of malicious actions that an attacker can carry out. These plugins include and can do the following:
- Set the RAT’s active communication and operations, thus avoiding detection by staying dormant;
- Alter proxy settings to manipulate traffic and evade security measures;
- Steal or change clipboard content to access sensitive data;
- Adjust DNS settings to redirect traffic, control, or disguise;
- Extract details and contact from Outlook for potential phishing attacks or malware spread;
- Bypass UAC and modify the registry;
- Automate malicious activities;
- Recover and send data from the infected system to attackers;
- Steal One-Time Passwords (OTPs) to bypass 2FA protection.
The experts think that JSOutProx is operated by Chinese or China-affiliated threat actors with a moderate degree of confidence based on the sophistication of the assaults, the profile of the targets, and their geographic location.
If you liked this piece, follow us on LinkedIn, Twitter, Facebook, and YouTube for more cybersecurity news and topics.