JsOutProx Overview

This report is about a new heavily obfuscated malware dubbed JsOutProx. JsOutProx is made up of two files with multiple capabilities and extreme amounts of encoding plus algorithmic complexity. The malware targets specified software on infected machines and seem to only operate on hosts running Microsoft Windows. The threat actor behind this malware is unknown, but the sheer complexity indicates that a sizable amount of time was spent in development. It’s unknown how this malware gets initial access to the environment.

Tactics, Techniques, and Procedures

The JsOutProx malware is heavily obfuscated with Base64 encoding hiding both readable and unreadable data likely being protected with other built-in algorithms. Some Base64 data segments are split up with useless code in between making it harder to put the functional scripting together again. Each data structure is split up, encrypted, and encoded with Base64 using a naming convention for the major variables starting with the letter ‘t' and what seems like randomized two-letter sequences after an underscore.

JSOutProx uses plugins that are named after the functions they perform using objects in JavaScript. The plugins perform a wide variety of tasks that range from stealing information to interfacing with other malicious artifacts. JsOutProx interacts seamlessly with the other notable component which is a .NET program packaged as a DLL file allowing for strong remote access capabilities.

The initialization phase of the JavaScript gathers important system information such as system names, IP address, free hard drive space, logged-on user, etc. After gathering pertinent information, the malware reaches out to the command & control server to assign the infected host a unique identifier. The malware also stores any gathered information during the “gathering” phase and places it in a preset variable. The unique identifier is a combination of the username, computer name, and OS version.

Plugins:

*Note: this isn’t the entire plugins list, for more see the Yoroi blog post link below.

  • Process Plugin: kills and creates new processes, can perform memory dumps of targeted processes.
  • DNS Plugin: gathers the current DNS settings and changes those settings as needed.
  • Token Plugin: engages in the theft of SymantecVIP one-time passwords.
  • Outlook Plugin: pulls account data and the contact list from the Outlook mail client.
  • Prompt Plugin: displays a customized message to the victim’s screen. This message is sent from the Command & Control server.

The JavaScript is written to two folders where it remains after a reboot hiding in the registry key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

The two folders where it resides during initial installation are listed below:

  • %appdata%
  • %temp%

The process handling side of this malware uses two methods to handle process creation which is commonly used by other malicious artifacts in the wild: WSH (Windows Script Host) and WMI (Windows Management Instrumentation). The ability to perform memory dumps of specified running processes may allow attackers the option to learn more about the environment and scrape valuable intelligence from the target. Processes are killed using the process ID (PID).

The targeting of Symantec VIP and the Outlook email client indicate that the malware is after high-value corporate targets.

All the plugins work in conjunction with the .NET DLL file which facilitates communication with the command & control infrastructure. It relays any commands from the server to the JavaScript file for execution. More plugins can be called on the fly from the .NET application with code hotfixes being pushed from the Command & Control server as needed. The malicious DLL file makes system calls to the core files: dns.dll and proxy.dll. These system calls allow for the DNS and Proxy plugins to work.

Impact

May lead to the loss of sensitive information and unwanted remote access on the affected host. Successful compromise may result in the loss of consumer faith and the loss of trust by current and/or potential business partners. Could result in infrastructure-wide account compromises as one-time tokens are stolen allowing the bad actor to attempt lateral movement through the installation of other malware and tools. Potential for commonly used business contacts to be phished as the user’s contact list gets exfiltrated.

Recommendations

  • Consider implementing proactive blocks on any perimeter security appliances using the AlienVault OTX link below.
  • Monitor the processes running in your environment using tools like Windows SysInternals, Nagios, or Zabbix if they’re available to you.
  • If you have LogRhythm, you can use the rule: AIE: C2: Abnormal Process Activity (may require tuning to avoid broad log captures) to perform process monitoring.
  • Utilize ProcDump in the Windows SysInternal toolset to look for potential information that can be scraped so, you’re aware of what this bad actor could gather.
  • Use the Silent Process Exit tab within the Global Flags to monitor for such process exits which are a strong indication of a process dump (see the linked guide below).
  • Monitor for external traffic flows using port 9989 and create actionable alerts.

Sources

IBM X-Force Exchange:

Supporting Documentation:

AlienVault OTX IOCs

Yoroi Blog Post

About Port

Silent Process Exit Configuration

Chat With One of Our Experts




Threat Report Windows malware Malware JsOutProx. Blog