Solar Spider Spins Up New Malware to Entrap Saudi Arabian Financial Firms

  /     /     /  
Publicated : 23/11/2024   Category : security


Solar Spider Spins Up New Malware to Entrap Saudi Arabian Financial Firms


An ongoing cyberattack campaign with apparent ties to China uses a new version of sophisticated JavaScript remote access Trojan JSOutProx and is now targeting banks in the Middle East.



The sophisticated threat group behind a complex JavaScript remote access Trojan (RAT) known as JSOutProx has released a new version of the malware to target organizations in the Middle East.
Cybersecurity services firm Resecurity analyzed technical details of multiple incidents involving the JSOutProx malware targeting financial customers and delivering either a fake SWIFT payment notification if targeting an enterprise, or a MoneyGram template when targeting private citizens, the company wrote in a report published this week. The threat group has targeted government organizations in India and Taiwan, as well as financial organizations in the Philippines, Laos, Singapore, Malaysia, India — and now
Saudi Arabia
.
The newest version of JSOutProx is a very flexible and well-organized program from a development perspective, allowing the attackers to tailor is functionality for the victims specific environment, says Gene Yoo, CEO of Resecurity.
Its a malware implant with multiple stages, and it has multiple plug-ins, he says. Depending on the victims environment, it goes right in and then actually bleeds them or poisons the environment, depending on what plug-ins are enabled.
The attacks are the latest campaign by a cybercriminal group known as Solar Spider, which appears to be the only group using the JSOutProx malware. Based on the groups targets — typically organizations in India, but also in the Asia-Pacific, Africa, and
Middle East regions
— its likely linked to China,
Resecurity stated in its analysis
.
By profiling the targets, and some of the details that we obtained in the infrastructure, we suspect that its related to China, Yoo says.
JSOutProx is well known in the financial industry. Visa, for example, documented campaigns using the attack tool in 2023, including one pointed at several banks in the Asia-Pacific region, the company stated in
its Biannual Threats Report published in December
.
The remote access Trojan (RAT) is a highly obfuscated JavaScript backdoor, which has modular plugin capabilities, can run shell commands, download, upload, and execute files, manipulate the file system, establish persistence, take screenshots, and manipulate keyboard and mouse events, Visa stated in its report. These unique features allow the malware to evade detection by security systems and obtain a variety of sensitive payment and financial information from targeted financial institutions.
JSOutProx typically appears as a PDF file of a financial document in a zip archive. But really, its JavaScript that executes when a victim opens the file. The first stage of the attack collects information on the system and communicates with command-and-control servers obfuscated via dynamic DNS. The second stage of the attack downloads any of some 14 plug-ins to conduct further attacks, including gaining access to Outlook and the users contact list, and enabling or disabling proxies on the system.
The RAT downloads plugins from GitHub — or more recently, GitLab — to appear legitimate.
The discovery of the new version of JSOutProx, coupled with the exploitation of platforms like GitHub and GitLab, emphasizes these malicious actors’ relentless efforts and sophisticated consistency, Resecurity said in its analysis.
Once Solar Spider compromises a user, the attackers collect information, such as primary account numbers and user credentials, and then conduct a variety of malicious actions against the victim, according to Visas threat report.
The JSOutProx malware poses a serious threat to financial institutions around the world, and especially those in the AP region as those entities have been more frequently targeted with this malware, the Visa report stated.
Companies should educate employees about how to handle unsolicited, suspicious correspondence to mitigate the threat of the malware, Visa stated. In addition, any instance of the malware must be investigated and completely remediated to prevent reinfection.
Bigger companies and government agencies are more likely to be attacked by the group because Solar Spider has its sights on the most successful firms, Resecuritys Yoo says. For the most part, however, companies dont have to take threat-specific steps but instead focus on defense-in-depth strategies, he says.
The user should focus on not looking at the shiny object in the sky, like the Chinese are attacking, but on what they need to do is create a better foundation, Yoo says. Having good patching, network segmentation, and vulnerability management. If you do that, then none of this would likely impact your users.

Last News

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Solar Spider Spins Up New Malware to Entrap Saudi Arabian Financial Firms