April 4, 2024 at 07:03PM
Visa issued a security alert warning about increased detections of the JsOutProx malware targeting financial institutions in South and Southeast Asia, the Middle East, and Africa. The malware provides remote access and can execute various malicious activities. Mitigation actions and indicators of compromise were recommended, and the campaign involved phishing emails with malicious payloads hosted on GitLab. The attacks are believed to be operated by Chinese or China-affiliated threat actors.
After reviewing the meeting notes, here are the key takeaways:
1. Visa issued a security alert warning about a new phishing campaign distributing the JsOutProx malware, targeting financial institutions in South and Southeast Asia, the Middle East, and Africa.
2. JsOutProx is a remote access trojan (RAT) and highly obfuscated JavaScript backdoor that allows its operators to run shell commands, download additional payloads, execute files, capture screenshots, establish persistence on the infected device, and control the keyboard and mouse.
3. The phishing campaign involves sending fabricated financial notifications to targets via emails impersonating legitimate institutions, presenting fake SWIFT or MoneyGram payment notifications. The emails contain ZIP archives with .js files that, when executed, download the malicious JSOutProx payloads from a GitLab repository.
4. The malware has evolved its latest version for better evasion and now uses GitLab to host its payloads.
5. The threat actor behind JSOutProx may have conducted fraudulent activities targeting financial institutions in the past. The campaign’s sophistication and the targeted profile suggest the involvement of Chinese or China-affiliated threat actors.
6. Visa’s alert provides indicators of compromise (IoCs) related to the latest campaign and recommends several mitigation actions, including raising awareness about phishing risks, enabling EMV and secure acceptance technologies, securing remote access, and monitoring for suspicious transactions.
These takeaways provide a clear understanding of the security alert issued by Visa and the details of the JSOutProx phishing campaign, its operations, and mitigation recommendations.