Threat Research

The New Version of JsOutProx is Attacking Financial Institutions in APAC and MENA via GitLab Abuse

Securonix

Resecurity identifies a new version of JSOutProx targeting APAC and MENA financial institutions, leveraging a modular .NET/JavaScript framework and multi-stage payloads hosted on GitHub and GitLab. The operation uses phishing-style lures, masquerading as PDFs, and cookie-based C2 communications to gather data and proxy traffic, with takedowns aimed at disrupting the infrastructure. #JSOutProx #GitLab

Keypoints

  • New JSOutProx variant targets APAC and MENA financial services, using a modular framework built on .NET and JavaScript with plugins for additional malicious actions.
  • Originally identified in 2019 and previously linked to SOLAR SPIDER phishing campaigns delivering the JSOutProx RAT across multiple regions.
  • February 2024 spike involved impersonation emails (mike.will@my[.]com) and fake SWIFT/MoneyGram notifications to deliver malware payloads.
  • Payloads were hosted mainly on GitHub; in March 2024 a shift to GitLab was observed with multi-stage infections and new actor-created repositories (docs909, dox05).
  • The JSOutProx RAT features a modular plugin system, supports shell commands, file operations, persistence, screenshots, and input capture; it also uses the Cookie header for C2 signaling.
  • Earlier campaigns (2020) targeted Indian government and banking sectors, with JU backdoors linked to JSOutProx and suspected Chinese-affiliated actors; victims span India, Taiwan, the Philippines, Laos, Singapore, Malaysia, and KSA.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The implant uses Windows Script Host (WSH) objects to perform operations; for example, “it uses WinHttp.WinHttpRequest.5.1 for HTTP requests, WScript.Shell for executing commands, and Scripting.FileSystemObject for file system access.”
  • [T1027] Obfuscated/Compressed Files and Information – “The JSOutProx RAT malware features complex obfuscation within its JavaScript backdoor structure” and “obfuscated using obfuscator.io. After deobfuscating them, we obtained the decoded JavaScript code.”
  • [T1036] Masquerading – “Solar Spider is employing the classic Masquerading technique (T1036), disguising its code as a PDF file rather than JS code.”
  • [T1105] Ingress Tool Transfer – “Most of the identified payloads were hosted on GitHub repositories” (with later use of GitLab in a multi-stage infection chain).
  • [T1082] System Information Discovery – “Using WMI, the implant collects information about the victim’s environment.”
  • [T1071] Web Protocols – “The unique feature of the malware is its use of the Cookie header field in its command and control (C2C) communication.”
  • [T1548.002] By Pass User Account Control – “PriviledgePlugin … UAC allows to write in registry location … and has options for using UAC bypass techniques like fodhelper.exe, Slui File Handler Hijacking, …”
  • [T1112] Modify Registry – “ProxyPlugin … modifying registry key ‘SoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyEnable’.”

Indicators of Compromise

  • [File/Archive] Payload file names and hashes observed – Transaction_Ref_jpg.zip, d22f76e60a786f0c92fa20af1a1619b2; MoneyGram_Global_Compliance_pdf.zip, 9c9df8fbcef8acd1a5265be5fd8fdce9 (and 2 more hashes)
  • [File/Archive] Additional payload pairings – Swift_Copy_jpg.zip, 81b9e7deb17e3371d417ad94776b2a26; MoneyGram_AML_Compliance_review.pdf.js, 1bd7ce64f1a7cf7dc94b912ceb9533d0 (and 2 more hashes)
  • [URL] GitHub hosting URLs observed – https://github.com/agbusi/ikeketeorie/blob/main/Transaction_Ref_jpg.zip -> https://raw.githubusercontent.com/agbusi/ikeketeorie/main/Transaction_Ref_jpg.zip; https://github.com/agbusi/compliance/blob/main/MoneyGram_Global_Compliance_pdf.zip -> https://raw.githubusercontent.com/agbusi/compliance/main/MoneyGram_Global_Compliance_pdf.zip (and 2 more URLs)
  • [URL] GitLab hosting URLs observed – https://gitlab.com/godicolony4040/dox05/-/raw/main/Transactions_Copy_65880983136606696162127010122_65890982136606696162127010122.zip -> https://raw.githubusercontent.com/godicolony4040/dox05/… (and 2 more URLs)
  • [Domain] Command-and-control domains – suedxcapuertggando.ddns.net, kiftpuseridsfryiri.ddns.net, hudukpgdgfytpddswq.ddns.net (and 2 more domains)
  • [IP] C2/IPs observed – 185.244.30.218, 79.134.225.17 (and 2 more IPs such as 103.212.81.155, 103.212.81.157)
  • [Email] Phishing sender used in campaigns – [email protected] (observed impersonation tactic)

Read more: https://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse