JSOutProx RAT

Last year, India was named the most cyber-attacked country. Critical infrastructures in oil and gas industries, and defence, banking, and manufacturing sectors are listed as the most common targets. 

In April 2020, the governmental establishments and a number of banks in India were targeted by email campaigns delivering a malicious JavaScript and Java-based backdoor which was further associated with JsOutProx RAT.

In their malicious emails, the attackers leveraged the topic that was relevant for any bank recipient which made the mail look even more legitimate. Based on the infrastructure analysis of malicious emails sent within different campaigns, the researchers attributed them to one threat actor. 

The JsOutProx analysis also showed that the script can be executed in different environments. Also, comparing the previous JsOutProx attack, in the latest attack the threat actor utilizes different deployment methods, including web servers environments. The script can execute a number of commands received from its C2 server to manipulate the victim system and, PowerShell plugin, and backdoor, including removing it from the victim machine. The recent stamp can also delay its execution, and after it is finally deployed, it runs the initialization routine to gather sensitive information and sends it to its command and control server in HTTP POST request. 

Ariel Millahuel created a community Sigma rule to detect the JSOutProx RAT activities (Sysmon detection): https://tdm.socprime.com/?dateFrom=0&dateTo=0&searchProject=content&searchType%5B%5D=name&searchSubType=&searchQueryFeatures=false&searchValue=jsoutprox+rat+(sysmon+detection)

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Impact, Defense Evasion, Persistence

Techniques: Obfuscated Files or Information (T1027), Registry Run Keys / Startup Folder (T1060), System Shutdown/Reboot (T1529)


Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.