This report is about a new heavily obfuscated malware dubbed JsOutProx. JsOutProx is made up of two files with multiple capabilities and extreme amounts of encoding plus algorithmic complexity. The malware targets specified software on infected machines and seems to only operate on hosts running Microsoft Windows. The threat actor behind this malware is unknown, but the sheer complexity indicates that a sizable amount of time was spent in development. It’s unknown how this malware gets initial access to the environment.
Tactics, Techniques, and Procedures
The JsOutProx malware is heavily obfuscated with Base64 encoding hiding both readable and unreadable data likely being protected with other built in algorithms. Some Base64 data segments are split up with useless code in between making it harder to put the functional scripting together again. Each data structure is split up, encrypted, and encoded with Base64 using a naming convention for the major variables starting with the letter ‘t’ and what seems like randomized two letter sequences after an underscore.
*Note: this isn’t the entire plugins list, for more see the Yoroi Blog post link below.
- Process Plugin: kills and creates new processes, can perform memory dumps of targeted processes.
- DNS Plugin: gathers the current dns settings and changes those settings as needed.
- Token Plugin: engages in the theft of SymantecVIP one-time passwords.
- Outlook Plugin: pulls account data and the contact list from the Outlook mail client.
- Prompt Plugin: displays a customized message to the victim’s screen. This message is sent from the Command & Control server.
The two folders where it resides during initial installation are listed below:
The process handling side of this malware uses two methods to handle process creation which are commonly used by other malicious artifacts in the wild: WSH (Windows Script Host) and WMI (Windows Management Instrumentation). The ability to perform memory dumps of specified running processes may allow attackers the option to learn more about the environment and scrape valuable intelligence from the target. Processes are killed using the process ID (PID).
The targeting of Symantec VIP and the Outlook email client indicate that the malware is after high value corporate targets.
May lead to the loss of sensitive information and unwanted remote access on the affected host. Successful compromise may result in the loss of consumer faith and the loss of trust by current and/or potential business partners. Could result in infrastructure wide account compromises as one-time tokens are stolen allowing the bad actor to attempt lateral movement through the installation of other malware and tools. Potential for commonly used business contacts to be phished as the user’s contact list gets exfiltrated.
- Consider implementing proactive blocks on any perimeter security appliances using the AlienVault OTX link below.
- Monitor the processes running in your environment using tools like Windows SysInternals, Nagios, or Zabbix if they’re available to you.
- If you have LogRhythm, you can use the rule: AIE: C2: Abnormal Process Activity (may require tuning to avoid broad log captures) to perform process monitoring.
- Utilize ProcDump in the Windows SysInternal toolset to look for potential information that can be scraped so, you’re aware of what this bad actor could gather.
- Use the Silent Process Exit tab within the Global Flags to monitor for such process exits which are strong indication of a process dump (see the linked guide below).
- Monitor for external traffic flows using port 9989 and create actionable alerts.