Network Security, Phishing, Malware

Financial sector targeted by new JSOutProx RAT variant

Share
Malware analysis

BleepingComputer reports that phishing attacks with an updated JSOutProx remote access trojan variant have been deployed against financial entities in South and Southeast Asia, the Middle East, and Africa.

Other financial institutions may have already been compromised by the threat actors behind the new phishing campaign, which was discovered on March 27, a security alert from Visa's Payment Fraud Disruption unit warned.

Meanwhile, a separate Resecurity report revealed that intrusions involved the delivery of fraudulent Moneygram or SWIFT payment notifications including ZIP archive attachments that facilitate the retrieval of JSOutProx payloads from GitLab.

After performing implant updates and process execution, JSOutProx proceeded to modify proxy and DNS settings to conceal malicious activity, evade Unified Access Control for persistence, and exfiltrate clipboard content, credentials, Outlook information, and one-time passwords as part of the attacks, which are believed to have been conducted by Chinese or China-linked threat actors, according to Resecurity researchers.

An In-Depth Guide to Network Security

Get essential knowledge and practical strategies to fortify your network security.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.