Financial Institutions Targeted: New JsOutProx Surge

Visa has issued a warning about the increased activity of a new version of the malicious software JsOutProx, targeting financial institutions and their clients. The campaign has affected institutions in South and Southeast Asia, the Middle East, and Africa.

The newly discovered Remote Access Trojan (RAT) has been distributed as part of a phishing campaign since March 27th, as reported by BleepingComputer, citing statements from Visa’s Payment Fraud Disruption (PFD) unit.

First identified in December 2019, JsOutProx is a heavily obfuscated JavaScript backdoor that enables operators to execute shell commands, upload additional payloads, execute files, capture screenshots, maintain persistence on the infected device, and control the keyboard and mouse.

The objective of the campaign remains unclear; however, it is suspected that the attackers aimed at financial institutions to carry out fraudulent operations. Visa has suggested several mitigation measures, including raising awareness of phishing risks, employing EMV technology and secure payment acceptance, protecting remote access, and monitoring suspicious transactions.

Resecurity experts, in their report, revealed details of the phishing operation, noting that the malware has evolved, enhancing its evasion capabilities and utilizing GitLab for hosting its downloads.

Victims received fake notifications via email, purportedly from official institutions, attached with ZIP archives containing JavaScript files. Upon execution, the JsOutProx malware is downloaded to the computer.

The new variant of the malware includes tools for modifying proxy settings, managing DNS to redirect and camouflage traffic, stealing data from the clipboard, and circumventing two-factor authentication by capturing one-time passwords. Analysts suggest that a Chinese group may be behind the attacks, considering the complexity of the attacks, the profile of the targets, and their geographic location.