Posted: December 27, 2019

JsOutProx Description

JsOutProx is the name of a JavaScript implant that was employed in phishing attacks against major businesses in different parts of the world recently. Often, these implants are disguised with legitimate and harmless file extensions, but the crooks behind JsOutProx have not adopted such measures – their threatening implant is spread as a '.JS' (JavaScript) file that often bears a name that resembles the one that would be used by a legitimate document. Trying to analyze the contents of the '.JS' file is futile because its contents are obfuscated heavily – it contains over 10,000 lines of code, and none of them make sense unless they are decrypted first. Malware researchers were able to crack the obfuscation algorithm that the JsOutProx uses to hide its contents, and this allowed them to get a good idea of the scope of this threat's abilities.

For starters, the control server is hardcoded, and the implant attempts to connect to a remote Command and Control server whose IP is found in Norway. In addition to having obfuscated content, the JsOutProx implant also employs anti-debugging and anti-analysis techniques that aim to make it more difficult to analyze its behavior.

The JsOutProx Implant Gains Persistence via Windows Registry

When the JsOutProx implant is installed on a computer, it will copy its files to the %TEMP% and %APPDATA% system folders. Once this is done, the threat will modify the Windows Registry and create a Registry key whose purpose is to run JsOutProx's files whenever Windows boots up. Some of the commands that JsOutProx supports allow it to:

  • Update its source code.
  • Restart the implant.
  • Self-delete.
  • Command the infected computer to either restart itself or power off.
  • Execute a Visual Basic code or JavaScript code provided by the attacker.
  • Enter sleep mode for a set amount of time.
  • Load a '.NET' DLL.

It appears that the JsOutProx module supports a wide range of plugins that can be reworked according to the operator's needs. Some of the primary plugins for JsOutProx allow the attacker to:

  • Control running processes on the compromised host.
  • Manage DNS configuration.
  • Collect the one-time password used by 'Symantec VIP' – a popular multifactor authentication system that businesses use.
  • Collect emails, contacts and account details from Microsoft Outlook.
  • Display a message prompt on the victim's screen.

JsOutProx is an interesting project certainly, and the vast amount of code obfuscation techniques used to hide its contents are a sure sign that this is the product of a seasoned malware developer. Thankfully, anti-virus engines have no trouble identifying and eradicating this threat, so we advise its potential targets to make sure that their networks are protected by a trustworthy anti-virus product.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to JsOutProx may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.