BleepingComputer reports that phishing attacks with an updated JSOutProx remote access trojan variant have been deployed against financial entities in South and Southeast Asia, the Middle East, and Africa.
Other financial institutions may have already been compromised by the threat actors behind the new phishing campaign, which was discovered on March 27, a security alert from Visa's Payment Fraud Disruption unit warned.
Meanwhile, a separate Resecurity report revealed that intrusions involved the delivery of fraudulent Moneygram or SWIFT payment notifications including ZIP archive attachments that facilitate the retrieval of JSOutProx payloads from GitLab.
After performing implant updates and process execution, JSOutProx proceeded to modify proxy and DNS settings to conceal malicious activity, evade Unified Access Control for persistence, and exfiltrate clipboard content, credentials, Outlook information, and one-time passwords as part of the attacks, which are believed to have been conducted by Chinese or China-linked threat actors, according to Resecurity researchers.