April 5, 2024 at 04:33AM
Financial organizations in the Asia-Pacific (APAC) and Middle East and North Africa (MENA) are facing targeted attacks by a sophisticated threat called JSOutProx, utilizing both JavaScript and .NET. The attacks have been traced back to threat actor Solar Spider and involve leveraging spear-phishing emails and various malicious activities. Cybersecurity company Resecurity has also highlighted a new software called GEOBOX posing serious security implications.
From the provided meeting notes, it is clear that financial organizations in the Asia-Pacific (APAC) and Middle East and North Africa (MENA) regions have been targeted by a new version of an “evolving threat” known as JSOutProx. This sophisticated attack framework utilizes both JavaScript and .NET, employing the .NET (de)serialization feature to interact with a JavaScript module on the victim’s machine and load various plugins for conducting malicious activities.
The JSOutProx attacks have been attributed to a threat actor tracked as Solar Spider, with operations targeting banks and large companies in Asia and Europe. Additionally, there have been detailed attacks leveraging remote access trojans (RATs) to target employees of small finance banks in India and Indian government establishments.
The attack chains are known to leverage spear-phishing emails containing malicious JavaScript attachments and rogue HTA files, with the malware having various plugins enabling operations such as data exfiltration, file system operations, controlling proxy settings, capturing clipboard content, accessing Microsoft Outlook account details, and gathering one-time passwords from Symantec VIP. Notably, JSOutProx uses the Cookie header field for command-and-control communications.
The attackers have also been observed using fake SWIFT or MoneyGram payment notifications to distribute the malicious code, and the artifacts have been hosted on GitHub and GitLab repositories. The cybersecurity company Resecurity has observed a spike in this activity starting February 8, 2024. Furthermore, Resecurity posits the e-crime group behind the malware to have origins in China or to be affiliated with it.
Additionally, the meeting notes mention a new software called GEOBOX being promoted on the dark web, which repurposes Raspberry Pi devices for conducting fraud and anonymization. This tool allows operators to spoof GPS locations, emulate specific network and software settings, mimic settings of known Wi-Fi access points, and bypass anti-fraud filters. The ease of access to GEOBOX raises significant concerns within the cybersecurity community about its potential for widespread adoption among various threat actors, with potential security implications such as state-sponsored attacks, corporate espionage, dark web market operations, financial fraud, anonymous distribution of malware, and access to geofenced content.
Overall, the meeting notes cover the evolving threat landscape targeting financial organizations in APAC and MENA, detailing the JSOutProx attack framework, associated cybercrime activities, and the concerns surrounding GEOBOX software.