Playbook

Malware Threat: JsOutProx

Description

FortiGuard Labs discovered an interesting spearphishing attack that we decided to investigate further, which led us to identify a newly updated JsOutProx campaign.

This malicious campaign targets verticals in the governmental monetary and financial sectors in Asia. It uses the likeness of a central bank of an Asian nation to compel a victim to open a compressed attachment that contains a malicious HTA file. Once the HTA file is executed, it contains heavily obfuscated JavaScript that ultimately installs and runs a remote access trojan or RAT.

What makes this unique from other attacks in this space you ask? This campaign is utilizing JsOutProx, a fully functional JavaScript remote access trojan (RAT) first discovered in December of 2019.

The tactics, techniques, and procedures (TTPS) of the attackers behind JsOutprox appear to be the work of a sophisticated threat actor. This seems evident due to the time and effort the attackers have taken to create this RAT, as well as the series of recent updates that have made it much more powerful. The actors also use specially crafted social engineering campaigns leveraging specific technical jargon pertaining to the verticals being targeted.

For more information on the TTPs used by JsOutProx, read the blog listed in the appendix and go to our Playbook Viewer and select JsOutProx from the menu.

Appendix