The new JsOutProx targets financial institutions in APAC and the Middle East and utilizes Gitlab.

Resecurity researchers warn of a new version of JsOutProx targeting financial institutions in the Asia-Pacific and Middle East regions using Gitlab.

Resecurity has discovered a new version of JSOutProx that targets financial services and organizations in the Asia-Pacific and Middle East regions. JSOutProx is a sophisticated attack platform that utilizes both JavaScript and .NET. It uses .NET's (de)serialization function to interact with the underlying JavaScript module running on the victim's computer. Once executed, the malicious code allows the platform to load various plugins that perform additional malicious actions against the target.

This malware was first discovered in 2019 and was initially linked to SOLAR SPIDER phishing campaigns that delivered JSOutProx RATs to financial institutions in Africa, the Middle East, South Asia, and Southeast Asia. A surge in activity was seen around February 8, 2024, when a major systems integration company with a base in the Kingdom of Saudi Arabia reported an incident where customers of a major bank in the region were attacked.

Resecurity has helped several victims obtain relevant pieces of malicious code, resulted in digital forensics and incident response work, and helped recover data.

Sale house in Toulouse 1 242 654,00 $

France,Toulouse

6 Bedrooms

1 Bathroom

207 м²

Sale flat in Bordeaux 273 212,00 $

France,Bordeaux

1 Bedroom

44 м²

Sale flat in Biarritz 1 017 443,00 $

France,Biarritz

1 Bedroom

1 Bathroom

74 м²

Sale flat in Biarritz 1 890 148,00 $

France,Biarritz

4 Bedrooms

1 Bathroom

123 м²

Sale flat in Toulouse 332 172,00 $

France,Toulouse

2 Bedrooms

55 м²

Sale flat in Bordeaux 752 924,00 $

France,Bordeaux

3 Bedrooms

3 Bathrooms

105 м²

The most recent episode, which occurred on April 2, 2024, targeted multiple bank customers with an undercover attack. Attackers used a fake SWIFT payment notification (for corporate customers) and Moneygram template (for private customers), using misleading notifications to launch malware.

The discovery of the new version of JSOutProx, as well as the abuse of the GitHub and GitLab platforms, underscores the tireless efforts and complex sequencing of these malicious actors. With its fifth anniversary, JSOutProx continues to pose a serious and evolving threat, especially to financial institution customers. Within increasing volume, this year malicious actors have expanded their reach to the Middle East region, thereby increasing their cybercriminal activity. As these threats become increasingly sophisticated and widespread, Resecurity remains vigilant in its commitment to monitor JSOutProx and protect financial institutions and their customers around the world from such insidious activities.

Additional technical details are available in the report published by Resecurity at the following link:https://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse.