Security researchers have uncovered a concerning development in the cyber threat landscape: a new version of JSOutProx is actively targeting financial institutions in the Asia-Pacific (APAC) and Middle East-North Africa (MENA) regions by exploiting GitLab. JSOutProx, a sophisticated attack framework combining JavaScript and .NET, utilizes .NET deserialization to interact with a JavaScript module on victims’ machines. This malware, initially attributed to SOLAR SPIDER’s phishing campaigns in 2019, has resurfaced with enhanced capabilities, posing a significant threat to banks.
The surge in JSOutProx activity was notable around February 8, 2024, with a major system integrator in Saudi Arabia reporting an incident targeting a prominent bank’s customers. Resecurity aided in incident response efforts, assisting victims in obtaining malicious code artifacts and recovering payloads. In a recent attack on April 2, 2024, multiple banking customers fell victim to an impersonation attack employing fake SWIFT payment and Moneygram notifications to execute malicious code.
The discovery of this new JSOutProx variant underscores the evolving sophistication of cyber threats, particularly in the financial sector. By exploiting platforms like GitLab and GitHub, threat actors demonstrate adaptability and persistence. The expanding geographic scope of attacks to the MENA region heightens the urgency for enhanced cybersecurity measures. Resecurity remains committed to tracking JSOutProx and defending financial institutions and their customers worldwide against such malicious activities
