skip to Main Content

Cybercrime: JsOutProx, a new enterprise grade malware

Yoroi-Cybaze Zlab: Here it comes JsOutProx, a new sophisticated malware. It has been designed to hit High-Value targets, and probably is still under development. It uses extensively obfuscation anti-reverse techniques

Here it comes JsOutProx, a new sophisticated malware. It has been discovered by Yoroi-Cybaze Zlab cyber security experts. It is a toolkit with peculiar remote access capabilities, that contains all the function prototypes inside the core engine and could be remotely extended at run time. The implementation of its functionalities has been decoupled from the JavaScript core using shared interfaces realized through the “dotUtil” class, the loader of its NET plugins. These classes are provided remotely through serialization, this decoupling provides a malleable modular implementation enabling the implant operators to a versatile code management. Another relevant aspect of JsOutProxy is the capability to deal with SymantecVIP technology. This led to think that it has been designed to hit High-Value targets. Also, this new threat appears emerging during these days, it has never been publicly seen before this December and it is probably still under development.

The malware core according the cyber security experts

According to the cyber security experts, JsOutProx’s e structure contains objects and functions used by the malware to pursue its actions. In many cases Zlab noticed a naming correspondence between couples of objects, for example between “Outlook” and “OutlookPlugin”, or “Proxy” and “ProxyPlugin” objects. This indicates the malicious code has a modular structure containing specific plugins able to perform a wide range of actions, such as exfiltrate data by populating the associated object. For example, the “OutlookPlugin” is able to steal information about emails and contacts. Each plugin embeds an obfuscated function named “receive”, which has the purpose to perform the specific action. This function name is constant and represent a sort of common interface between malware modules. 

How JsOutProx works

JsOutProx, once created the main structure, run the first function:“init”. It is designed to create an identification string for the victim machine, gathering from system information and storing them into the “t_fT[“ID”]” variable. Then, the malware moves in an endless loop in which it invokes the “receive” function every 5 seconds. It has many capabilities and it able to handle a complete infection life-cycle. It can update itself, restart itself, execute another JavaScript code, other VB scripts and even remove its traces. Additionally, the main loop structure includes a series of IF-Else evaluating the received string in order to check for specific prefixes. Each prefix is associated to a plugin module. 

The uncommon plugin exploited by the malicious code

Some of these JsOutProx plugins encode standard functionalities of many RAT and recon malware, but others hide interesting and even uncommon features. The ProcessPlugin is able to manipulate other processes running in the system. It can kill them by PID and by name, create new processes through WSH or WMI and also collect a memory dump of a specific process. The DnsPlugin handles the machine’s DNS configuration. It can send to the C2 the current configuration and also set a new one. The “Token” Plugin and the Object SymantecVIP exfiltrate tokens and are specifically designed for the theft of SymantecVIP One Time Password. the OutlookPlugin weaponize the implant with common information stealing capabilities enabling the attackers to gather account information and contact list. Finally, the PromptPlugin empowers the attacker to present his victim a custom message prompt provided by the command and control server.

Back To Top