Last year, India was named the most cyber-attacked country. Critical infrastructures in oil and gas industries, and defence, banking, and manufacturing sectors are listed as the most common targets.
In their malicious emails, the attackers leveraged the topic that was relevant for any bank recipient which made the mail look even more legitimate. Based on the infrastructure analysis of malicious emails sent within different campaigns, the researchers attributed them to one threat actor.
The JsOutProx analysis also showed that the script can be executed in different environments. Also, comparing the previous JsOutProx attack, in the latest attack the threat actor utilizes different deployment methods, including web servers environments. The script can execute a number of commands received from its C2 server to manipulate the victim system and, PowerShell plugin, and backdoor, including removing it from the victim machine. The recent stamp can also delay its execution, and after it is finally deployed, it runs the initialization routine to gather sensitive information and sends it to its command and control server in HTTP POST request.
Ariel Millahuel created a community Sigma rule to detect the JSOutProx RAT activities (Sysmon detection): https://tdm.socprime.com/?dateFrom=0&dateTo=0&searchProject=content&searchType%5B%5D=name&searchSubType=&searchQueryFeatures=false&searchValue=jsoutprox+rat+(sysmon+detection)
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint
Tactics: Impact, Defense Evasion, Persistence
Techniques: Obfuscated Files or Information (T1027), Registry Run Keys / Startup Folder (T1060), System Shutdown/Reboot (T1529)