Quick Heal Security Labs has been monitoring various attack campaigns using JSOutProx RAT against different SMBs in the BFSI sector since January 2021. We have found multiple payloads being dropped at different stages of its operations. Although the RAT campaigns have also been previously reported on other countries, those targeting Indian companies are operated through separate C2 domains. Let’s dig deeper into the working of this targeted attack.
JSOutProx is a modular JScript-based RAT delivered to the user as a .hta file and first executed by the mshta.exe process. The initial attack vector is a spear-phishing email with a compressed attachment having a “.hta” file with a file name related to a financial transaction. The attachments have a double-extension-like format, for example “_pdf.zip”, “_xlsx.7z”, “_xls.zip”, “_docx.zip”, “_eml.zip”, “_jpeg.zip”, “_txt.zip” etc.
The RAT is delivered in 2 stages. In the first stage, a minimal version is provided with some functionalities stripped. In the second stage, a bigger version of the sample is delivered, which, apart from the existing functionalities of the first stage rat, has support for additional functions and plugins as well.
Spear Phishing emails are sent to targeted individuals who are employees of small finance banks from India. We believe the threat actor adds more targets to his list by stealing the email contacts of its victims. We have observed multiple campaigns from Jan 2021 to June 2021 where emails were sent to hundreds of targets in a single day. Sometimes, various emails with different attachment names are sent to a single target to increase the chances of the user downloading and opening the attachment file.
The RAT was first observed two years ago, in 2019. Since then, the RAT has upgraded with new commands, more functionality, and increased obfuscation. The recent JScript files consist of more than one MB of obfuscated code, a vast array of base64-like strings, malware’s configuration data, and an rc4 string decryption function. The obfuscation pattern remains the same as the older samples and is the same for both stages of RAT samples.
Once the configuration data is decrypted, we get a glimpse of the malware’s capabilities. The “BaseUrl” field points to the C2 domain and port number it communicates using the HTTP protocol. “Password” field is used while downloading plugins and assemblies from C2. ”Tag” field contains campaign ID. The first samples, which were reported two years back, had the tag name “JSOutProx,” and hence it was named as such. Below is a list of initial fields present in the decrypted configuration data of one RAT sample.
Few new fields like “ViewOnly” were seen in the recent samples, which allows the controller to monitor the victim to gather victim info and not write or execute anything on the machine. This ensures the malware is not creating any noisy events until the attacker decides to initiate the attack. Most of the initial fields are common in both stages.
The first stage RAT is a .hta file and executed by the mshta.exe process. It can create entries in registry and startup, create or terminate a process, perform file operations, download plugins, etc. It can also generate some mouse and keyboard operations using PowerShell scripts in the target machine through “ScreenPShell” commands, as mentioned in the below screenshot.
Following are the essential plugins supported and their functionalities:
Once the malware is executed, it communicates with C2, which first responds with a PowerShell script to capture the screenshot and save it in the temp directory. There are previous reports of the same PowerShell script being used in attacks against banks in the UK. Following is the PowerShell script:
The second stage RAT is dropped as a “.js” file in a startup or as a “.tmp” file in the %temp% folder and is executed using wscript.exe. It also has a different C2 than the first stage sample. The size of these samples is around three MB and has additional plugins support. The inclusion of DotUtil functions enables it to download and execute .NET assemblies in memory. Following are some of the DotUtil functions:
Following are the additional plugins supported in the second stage:
In the second stage, RAT finally drops a C++-based Netwire RAT with again a different C2 address. Last year we published our research about Java-based Adwind RAT (https://www.seqrite.com/blog/java-rat-campaign-targets-co-operative-banks-in-india/) in which jar file was the main component. It also targeted co-operative banks of India with Covid themed attachment names having a similar double-extension-like format. The various commands, configuration fields, and user-agent strings are identical in JSOutProx and Adwind RATs. We believe the same threat actor might be linked with JSOutProx RAT, where now they look to have changed their tactic to drop similar jar files as end payload, rather than as initial infection vector, to evade detections.
With multiple stages of payloads dropped by the threat actor, he can execute remote commands through any of the available stages, whichever can be seen as an attempt to evade antivirus detections.
We tracked the connections to the C2 domains to confirm if the exact fields are used in JSOutProx campaigns in other countries. But it turned out that only Indian IPs had connected to the C2 locations mentioned in the collected samples, confirming our assumption that it’s a targeted attack on Indian BFSI companies only.
Transaction report for_0127012021_docx.hta