2024-04-03 The New Version of JsOutProx is Attacking Financial Institutions in APAC and MENA via GitLab Abuse

📃Title: The New Version of JsOutProx is Attacking Financial Institutions in APAC and MENA via GitLab Abuse
📅Date: 2024-04-03
🔗References:

• https://www.resecurity.com/blog/article/the-new-version-of-jsoutprox-is-attacking-financial-institutions-in-apac-and-mena-via-gitlab-abuse

Description

Resecurity detected a new version of JSOutProx malware targeting financial services and organizations in the Asia-Pacific and Middle East/North Africa regions. This sophisticated malware utilizes both JavaScript and .NET, employing .NET deserialization to interact with a core JavaScript module running on the victim’s machine. It enables loading various plugins for conducting additional malicious activities. The malware was initially attributed to the SOLAR SPIDER threat group and has been continuously improved since its identification in 2019. The recent campaigns abuse GitHub and GitLab for distributing malicious payloads, reflecting the actors’ evolving tactics.

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: targeted
• MY-relevancy: relevant

🔖MISP Galaxies:

• target-information=“British Indian Ocean Territory”
• target-information=“India”
• target-information=“Taiwan”
• target-information=“Philippines”
• target-information=“Singapore”
• target-information=“Malaysia”
• target-information=“Saudi Arabia”
• malpedia=“JSOutProx”
• threat-actor SOLAR-SPIDER
• mitre-attack-pattern=[‘T1113’, ‘T1089’, ‘T1036’, ‘T1107’, ‘T1112’, ‘T1059’, ‘T1070’, ‘T1122’, ‘T1027’, ‘T1105’, ‘T1124’, ‘T1059.007’]

MISP event uuid: ffde907b-641c-4794-857f-1b577471daaf

Indicator of Compromise (IoCs)

type,value,comment
sha1, b540e3682457f2499b687fa0cd213b03ba77290c, 'No sample in VT\r\nLast check:04/05/2025'
url, http://hudukpgdgfytpddswq.ddns.net:8843/, ''
url, http://kiftpuseridsfryiri.ddns.net:8907/, ''
url, http://mdytreudsgurifedei.ddns.net:9708/, ''
url, http://suedxcapuertggando.ddns.net:8843/, ''
url, http://ykderpgdgopopfuvgt.ddns.net:7891/, ''
hostname, eopgupgdpopopfuupi.ddns.net, ''
hostname, hudukpgdgfytpddswq.ddns.net, ''
hostname, kiftpuseridsfryiri.ddns.net, ''
hostname, mdytreudsgurifedei.ddns.net, ''
hostname, suedxcapuertggando.ddns.net, ''
hostname, ykderpgdgopopfuvgt.ddns.net, ''
url, suedxcapuertggando.ddns.net:8843/, 'C2'
ip-dst, 185.244.30.218, 'C2'
url, mdytreudsgurifedei.ddns.net:9708/, 'C2'
url, kiftpuseridsfryiri.ddns.net:8907/, 'C2'
url, hudukpgdgfytpddswq.ddns.net:8843/, 'C2'
url, ykderpgdgopopfuvgt.ddns.net:7891/, 'C2'
ip-dst, 79.134.225.17, 'C2'
ip-dst, 103.212.81.155, 'C2'
ip-dst, 103.212.81.157, 'C2'

Full IOCs available in Rectifyq's MISP```