skip to Main Content

Cybercrime, JsOutProx is evolving and started targeting western financial organizations

Yoroi: JsOutProx is evolving, and now it has an improved protection mechanisms to avoid detection

The JsOutProx (TH-264) malware is evolving. It has been discovered by Yoroi cybersecurity experts. It’s a JavaScript-based RAT used to attack financial institutions in the APAC area, spread by a threat actor dubbed SOLAR SPIDER by CrowdStrike. Now, the group is protecting the new code with improved protection mechanisms. The implant is increasing its sophisticated for three reasons: the obfuscation is becoming increasingly intense and can avoid the initial detection, the newer versions dropped the in-memory .NET modules and adopted a proxy process plugin architecture to enhance the survival of the main infection routine, also, the introduction of the “view-only mode” represents a notable change in the flexibility of this malicious tool that could be also configured to have the lowest footprint possible while keeping eyes on victim’s desktop.

The cybersecurity experts: The malware (aka TH-264) can operate as a silent info stealer or run offensive plugins, and is started targeting western financial organizations

According to the cybersecurity experts, the infection starts with a malicious phishing messages attending to be a bank transaction. It also leverages the classic Masquerading technique (T1036), pretending to be a PDF file instead of a JS code. Furthermore, once inside, the malware can also operate as a silent info stealer making it an impressive reconnaissance tool for the initial phases of an intrusion, but it can also be leveraged to run more advanced, and noisy, offensive plugins using proxy processes to keep the main infection process safe from detection and security terminations. Furthermore, Yoroi’s researchers started noticing signs of a potential emergent expansion of the attack operations to western financial organizations.

Back To Top