Cisco Talos cybersecurity experts: The attacker, a single actor, deploys a variety of malware, such as DcRAT and QuasarRAT, via diplomatic and humanitarian lures.
Yoroi: JsOutProx is evolving, and now it has an improved protection mechanisms to avoid detection
The cybersecurity experts: The malware (aka TH-264) can operate as a silent info stealer or run offensive plugins, and is started targeting western financial organizations
According to the cybersecurity experts, the infection starts with a malicious phishing messages attending to be a bank transaction. It also leverages the classic Masquerading technique (T1036), pretending to be a PDF file instead of a JS code. Furthermore, once inside, the malware can also operate as a silent info stealer making it an impressive reconnaissance tool for the initial phases of an intrusion, but it can also be leveraged to run more advanced, and noisy, offensive plugins using proxy processes to keep the main infection process safe from detection and security terminations. Furthermore, Yoroi’s researchers started noticing signs of a potential emergent expansion of the attack operations to western financial organizations.