Mandiant cybersecurity experts: The APT (aka UNC2452) also shows two distinct clusters of activity, UNC3004 and UNC2652.
Yoroi-Cybaze Zlab: Here it comes JsOutProx, a new sophisticated malware. It has been designed to hit High-Value targets, and probably is still under development. It uses extensively obfuscation anti-reverse techniques
The malware core according the cyber security experts
According to the cyber security experts, JsOutProx’s e structure contains objects and functions used by the malware to pursue its actions. In many cases Zlab noticed a naming correspondence between couples of objects, for example between “Outlook” and “OutlookPlugin”, or “Proxy” and “ProxyPlugin” objects. This indicates the malicious code has a modular structure containing specific plugins able to perform a wide range of actions, such as exfiltrate data by populating the associated object. For example, the “OutlookPlugin” is able to steal information about emails and contacts. Each plugin embeds an obfuscated function named “receive”, which has the purpose to perform the specific action. This function name is constant and represent a sort of common interface between malware modules.
How JsOutProx works
The uncommon plugin exploited by the malicious code
Some of these JsOutProx plugins encode standard functionalities of many RAT and recon malware, but others hide interesting and even uncommon features. The ProcessPlugin is able to manipulate other processes running in the system. It can kill them by PID and by name, create new processes through WSH or WMI and also collect a memory dump of a specific process. The DnsPlugin handles the machine’s DNS configuration. It can send to the C2 the current configuration and also set a new one. The “Token” Plugin and the Object SymantecVIP exfiltrate tokens and are specifically designed for the theft of SymantecVIP One Time Password. the OutlookPlugin weaponize the implant with common information stealing capabilities enabling the attackers to gather account information and contact list. Finally, the PromptPlugin empowers the attacker to present his victim a custom message prompt provided by the command and control server.