This report is about a new heavily obfuscated malware dubbed JsOutProx. JsOutProx is made up of two files with multiple capabilities and extreme amounts of encoding plus algorithmic complexity. The malware targets specified software on infected machines and seem to only operate on hosts running Microsoft Windows. The threat actor behind this malware is unknown, but the sheer complexity indicates that a sizable amount of time was spent in development. It’s unknown how this malware gets initial access to the environment.
The JsOutProx malware is heavily obfuscated with Base64 encoding hiding both readable and unreadable data likely being protected with other built-in algorithms. Some Base64 data segments are split up with useless code in between making it harder to put the functional scripting together again. Each data structure is split up, encrypted, and encoded with Base64 using a naming convention for the major variables starting with the letter ‘t' and what seems like randomized two-letter sequences after an underscore.
JSOutProx uses plugins that are named after the functions they perform using objects in JavaScript. The plugins perform a wide variety of tasks that range from stealing information to interfacing with other malicious artifacts. JsOutProx interacts seamlessly with the other notable component which is a .NET program packaged as a DLL file allowing for strong remote access capabilities.
The initialization phase of the JavaScript gathers important system information such as system names, IP address, free hard drive space, logged-on user, etc. After gathering pertinent information, the malware reaches out to the command & control server to assign the infected host a unique identifier. The malware also stores any gathered information during the “gathering” phase and places it in a preset variable. The unique identifier is a combination of the username, computer name, and OS version.
Plugins:
*Note: this isn’t the entire plugins list, for more see the Yoroi blog post link below.
The JavaScript is written to two folders where it remains after a reboot hiding in the registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
The two folders where it resides during initial installation are listed below:
The process handling side of this malware uses two methods to handle process creation which is commonly used by other malicious artifacts in the wild: WSH (Windows Script Host) and WMI (Windows Management Instrumentation). The ability to perform memory dumps of specified running processes may allow attackers the option to learn more about the environment and scrape valuable intelligence from the target. Processes are killed using the process ID (PID).
The targeting of Symantec VIP and the Outlook email client indicate that the malware is after high-value corporate targets.
All the plugins work in conjunction with the .NET DLL file which facilitates communication with the command & control infrastructure. It relays any commands from the server to the JavaScript file for execution. More plugins can be called on the fly from the .NET application with code hotfixes being pushed from the Command & Control server as needed. The malicious DLL file makes system calls to the core files: dns.dll and proxy.dll. These system calls allow for the DNS and Proxy plugins to work.
May lead to the loss of sensitive information and unwanted remote access on the affected host. Successful compromise may result in the loss of consumer faith and the loss of trust by current and/or potential business partners. Could result in infrastructure-wide account compromises as one-time tokens are stolen allowing the bad actor to attempt lateral movement through the installation of other malware and tools. Potential for commonly used business contacts to be phished as the user’s contact list gets exfiltrated.
Supporting Documentation: