JSOutProx RAT

[post-views]
September 01, 2020 · 2 min read
JSOutProx RAT

Last year, India was named the most cyber-attacked country. Critical infrastructures in oil and gas industries, and defence, banking, and manufacturing sectors are listed as the most common targets. 

In April 2020, the governmental establishments and a number of banks in India were targeted by email campaigns delivering a malicious JavaScript and Java-based backdoor which was further associated with JsOutProx RAT.

In their malicious emails, the attackers leveraged the topic that was relevant for any bank recipient which made the mail look even more legitimate. Based on the infrastructure analysis of malicious emails sent within different campaigns, the researchers attributed them to one threat actor. 

The JsOutProx analysis also showed that the script can be executed in different environments. Also, comparing the previous JsOutProx attack, in the latest attack the threat actor utilizes different deployment methods, including web servers environments. The script can execute a number of commands received from its C2 server to manipulate the victim system and, PowerShell plugin, and backdoor, including removing it from the victim machine. The recent stamp can also delay its execution, and after it is finally deployed, it runs the initialization routine to gather sensitive information and sends it to its command and control server in HTTP POST request. 

Ariel Millahuel created a community Sigma rule to detect the JSOutProx RAT activities (Sysmon detection): https://tdm.socprime.com/?dateFrom=0&dateTo=0&searchProject=content&searchType%5B%5D=name&searchSubType=&searchQueryFeatures=false&searchValue=jsoutprox+rat+(sysmon+detection)

 

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

 

MITRE ATT&CK: 

Tactics: Impact, Defense Evasion, Persistence

Techniques: Obfuscated Files or Information (T1027), Registry Run Keys / Startup Folder (T1060), System Shutdown/Reboot (T1529)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts

Execution Tactic | TA0002
Blog, Latest Threats — 6 min read
Execution Tactic | TA0002
Daryna Olyniychuk
PyVil RAT by Evilnum Group
Blog, Latest Threats — 2 min read
PyVil RAT by Evilnum Group
Eugene Tkachenko
Transparent Tribe APT
Blog, Latest Threats — 2 min read
Transparent Tribe APT
Eugene Tkachenko