This report is about a new heavily obfuscated malware dubbed JsOutProx. JsOutProx is made up of two files with multiple capabilities and extreme amounts of encoding plus algorithmic complexity. The malware targets specified software on infected machines and seem to only operate on hosts running Microsoft Windows. The threat actor behind this malware is unknown, but the sheer complexity indicates that a sizable amount of time was spent in development. It’s unknown how this malware gets initial access to the environment.
The JsOutProx malware is heavily obfuscated with Base64 encoding hiding both readable and unreadable data likely being protected with other built-in algorithms. Some Base64 data segments are split up with useless code in between making it harder to put the functional scripting together again. Each data structure is split up, encrypted, and encoded with Base64 using a naming convention for the major variables starting with the letter ‘t' and what seems like randomized two-letter sequences after an underscore.
*Note: this isn’t the entire plugins list, for more see the Yoroi blog post link below.
The two folders where it resides during initial installation are listed below:
The process handling side of this malware uses two methods to handle process creation which is commonly used by other malicious artifacts in the wild: WSH (Windows Script Host) and WMI (Windows Management Instrumentation). The ability to perform memory dumps of specified running processes may allow attackers the option to learn more about the environment and scrape valuable intelligence from the target. Processes are killed using the process ID (PID).
The targeting of Symantec VIP and the Outlook email client indicate that the malware is after high-value corporate targets.
May lead to the loss of sensitive information and unwanted remote access on the affected host. Successful compromise may result in the loss of consumer faith and the loss of trust by current and/or potential business partners. Could result in infrastructure-wide account compromises as one-time tokens are stolen allowing the bad actor to attempt lateral movement through the installation of other malware and tools. Potential for commonly used business contacts to be phished as the user’s contact list gets exfiltrated.