For starters, the control server is hardcoded, and the implant attempts to connect to a remote Command and Control server whose IP is found in Norway. In addition to having obfuscated content, the JsOutProx implant also employs anti-debugging and anti-analysis techniques that aim to make it more difficult to analyze its behavior.
The JsOutProx Implant Gains Persistence via Windows Registry
When the JsOutProx implant is installed on a computer, it will copy its files to the %TEMP% and %APPDATA% system folders. Once this is done, the threat will modify the Windows Registry and create a Registry key whose purpose is to run JsOutProx's files whenever Windows boots up. Some of the commands that JsOutProx supports allow it to:
- Update its source code.
- Restart the implant.
- Command the infected computer to either restart itself or power off.
- Enter sleep mode for a set amount of time.
- Load a '.NET' DLL.
It appears that the JsOutProx module supports a wide range of plugins that can be reworked according to the operator's needs. Some of the primary plugins for JsOutProx allow the attacker to:
- Control running processes on the compromised host.
- Manage DNS configuration.
- Collect the one-time password used by 'Symantec VIP' – a popular multifactor authentication system that businesses use.
- Collect emails, contacts and account details from Microsoft Outlook.
- Display a message prompt on the victim's screen.
JsOutProx is an interesting project certainly, and the vast amount of code obfuscation techniques used to hide its contents are a sure sign that this is the product of a seasoned malware developer. Thankfully, anti-virus engines have no trouble identifying and eradicating this threat, so we advise its potential targets to make sure that their networks are protected by a trustworthy anti-virus product.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to JsOutProx may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.