JsOutProx
JsOutProx is the name of a JavaScript implant that was employed in phishing attacks against major businesses in different parts of the world recently. Often, these implants are disguised with legitimate and harmless file extensions, but the crooks behind JsOutProx have not adopted such measures – their threatening implant is spread as a '.JS' (JavaScript) file that often bears a name that resembles the one that would be used by a legitimate document. Trying to analyze the contents of the '.JS' file is futile because its contents are obfuscated heavily – it contains over 10,000 lines of code, and none of them make sense unless they are decrypted first. Malware researchers were able to crack the obfuscation algorithm that the JsOutProx uses to hide its contents, and this allowed them to get a good idea of the scope of this threat's abilities.
For starters, the control server is hardcoded, and the implant attempts to connect to a remote Command and Control server whose IP is found in Norway. In addition to having obfuscated content, the JsOutProx implant also employs anti-debugging and anti-analysis techniques that aim to make it more difficult to analyze its behavior.
The JsOutProx Implant Gains Persistence via Windows Registry
When the JsOutProx implant is installed on a computer, it will copy its files to the %TEMP% and %APPDATA% system folders. Once this is done, the threat will modify the Windows Registry and create a Registry key whose purpose is to run JsOutProx's files whenever Windows boots up. Some of the commands that JsOutProx supports allow it to:
- Update its source code.
- Restart the implant.
- Self-delete.
- Command the infected computer to either restart itself or power off.
- Execute a Visual Basic code or JavaScript code provided by the attacker.
- Enter sleep mode for a set amount of time.
- Load a '.NET' DLL.
It appears that the JsOutProx module supports a wide range of plugins that can be reworked according to the operator's needs. Some of the primary plugins for JsOutProx allow the attacker to:
- Control running processes on the compromised host.
- Manage DNS configuration.
- Collect the one-time password used by 'Symantec VIP' – a popular multifactor authentication system that businesses use.
- Collect emails, contacts and account details from Microsoft Outlook.
- Display a message prompt on the victim's screen.
JsOutProx is an interesting project certainly, and the vast amount of code obfuscation techniques used to hide its contents are a sure sign that this is the product of a seasoned malware developer. Thankfully, anti-virus engines have no trouble identifying and eradicating this threat, so we advise its potential targets to make sure that their networks are protected by a trustworthy anti-virus product.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.