JSOutProx RAT_whitePaper w w w . s e q r i t e . c o m W H I T E PAPER Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies Author Chaitanya Haritash Tejaswini Sandapolla www.seqrite.com Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 01 Since early 2021, Quick Heal Security Labs has been monitoring various attack campaigns using JSOutProx malware, which is a highly obfuscated & complex JavaScript JavaScript-based RAT. Most of these attacks are targeted against different small and medium businesses in the Banking and Financial sectors. Similar campaigns related to this malware have also been previously reported from other countries. But, these attacks which are targeting Indian companies are being operated from separate C2 servers. We have previously published a blog in October 2021 that emphasized malware and its different stages. In this paper, we will go a little deeper into the different versions of the malware and how it targets Indian companies. Executive Summary JSOutProx RAT JavaScript https://www.seqrite.com/blog/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/ Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 02 Initial Access: JavaScript (Fig.1 - Phishing Email) (Fig 2. ZoomEye record about IMAP Server) The Initial Infection starts with an email which brings in a malicious compressed archive containing a JavaScript file. This file is the actual JsOutProx payload. We have analyzed multiple .eml files from this campaign. Most of them had either: • Header with a spoofed email of the sender or • Were compromised to make it look more legitimate and convincing to the victim. This is a general tactic used by attackers in spam campaigns. Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 03 JavaScript In 2020, an Attacker used IMAP belonging to “192.188.88.116” to send bulk spam emails to its targets. JSOutProx is a highly obfuscated, complex JavaScript based RAT. We have been monitoring this attack campaign since December 2019 and finding its activity even today. • This JavaScript code is approximately 1 MB in size. • Looking into the code, there is a variable with a long array of around 28k values in it. • This occupies almost a quarter of the file size. • This array consists of base64 kind of data, but on decryption, we get junk. The data is de-obfuscated by passing in the form of function (z, w) [e.g.: HJ('0x61fe', Z8L5') ] where z refers to the index of the value in “H array” and w refers to RC4 decryption key. The actual decoding function is hidden in variable r. The data is base64 decoded and RC4 decrypted at the time of execution. (Fig 4.) (Fig 3.) The Initial Infection starts with an email which brings in a malicious compressed archive containing a JavaScript file. This file is the actual JsOutProx payload. We have analyzed multiple .eml files from this campaign. Most of them had either: • Header with a spoofed email of the sender or • Were compromised to make it look more legitimate and convincing to the victim. This is a general tactic used by attackers in spam campaigns. Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 04 JavaScript This RAT can be run as a JavaScript file on the command line, or as a .HTA file inside a window (mshta.exe). If it is running from inside a window, the RAT hides the window by resizing it to 0*0 pixels (height*width). Apart from that, it also moves it away from the viewable part of the screen. Moving forward, there is a HT object being initialized Setting the breakpoint and adding a watch to HT we can clearly see how it got de-obfuscated. (Fig 5.) (Fig 6.) (Fig 7.) Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 05 JavaScript (Fig 8.) (Fig 9.) (Fig 10.) Methods (Offensive capabilities) can also be seen: Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 06 JavaScript (Fig 11.) Let’s now focus on what is all this. Ht object basically has a configuration for the malware. A few interesting fields in the configuration include (fig below): The "BaseUrl" field points to the C2 domain and port number via the HTTP protocol. “Hxxp[:]//gensamogh.myq-see.com:9059/” (source) While downloading plugins and assemblies from C2, the "Password" field is used. “"vruxcvdfmopd123"” ”Tag” field contains a campaign ID. "macxr". Initially, it was JSOutprox. “Startdate” is about the starting date of infection. “Mon Dec 13 16:22:14 UTC+0530 2021” Delimiter is used as a separator by the malware while exfiltrating data. "_|_" “ViewOnly” allows the attacker to monitor the victim to gather victim info and not write or execute anything on the machine. Fs: Uses Scripting File system Object to gain read/write privileges Wsh: Uses Wscript. Shell Object to execute Wscript files Sh: It uses Shell.Application object to execute command line applications InstallDir : Contains the location for installation of malware Sleeptime: Delaying the execution of malware IDPrefix: This is used as a prefix when data is sent over C2 ProxyActions: Indicates if malware is a proxy for any other process • • • • • • • • • • • • Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 07 JavaScript (Fig 12.) The configuration is almost the same in all versions, with few changes. How is the configuration varying in different versions? • marcelbosgath.zapto.org:9790 • ruppamoda.zapto.org:9099 • apatee40rm.gotdns.ch:9897 • mathepqo.serveftp.com:9059 • protogoo.ddnsking.com:9081 • riyaipopa.ddns.net:9098 • dirrcharlirastrup.gotdns.ch:8037 • uloibdrupain.hopto.org:8909 • gensamogh.myq-see.com:9059 • cccicpatooluma.hopto.org:5090 • feednet.myftp.biz:6093 • IsDonetInstalled • IsAMSI • Net • IsEncrypted 1. Base URL changes in different versions. Given below are the C2 found among all the versions. 2. Tag which denotes the Campaign ID also changes. Few common ones found were: pod, kmewsx, macxr etc 3. IDPrefix also varies. Few of them are: okdh=, ivcbshs=, _ybj= etc 4. In the latest versions, the following fields have been observed: Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 08 This malware has various plugins to perform various operations such as exfiltration of data, performing file system operations etc. Apart from that, it also has various methods with offensive capabilities that perform various operations. A few interesting methods (can be seen in Fig 10 and Fig 11) are: Plugins: Methods: 1. Base URL changes in different versions. Given below are the C2 found among all the versions. 2. Tag which denotes the Campaign ID also changes. Few common ones found were: pod, kmewsx, macxr etc 3. IDPrefix also varies. Few of them are: okdh=, ivcbshs=, _ybj= etc 4. In the latest versions, the following fields have been observed: 1. getUuid : Gets the UUID of the machine remove Startup: Remove startup entries(persistence mechanism) if any 2. userName :Get the username of the victim's machines Process(list): To list down all the processes which are running 3. receive: interpret commands received from C2. These commands are written in the form of a switch case. Given below are a few commands: Plugins • fnm: Sends the scriptfullname to C2. • dvo: set to View only • pat: Update the implant • uss.s: Set proxy actions and update sleep time • upd: Update and restart the implant • rst: Restart • rmz: Set the zoneidentifier • l32: open launch ScriptFullName • l64: open launch scriptFullName • dcn: exit • rbt: reboot the victim’s machine • shd: shutdown the victim's machine • lgf: disconnect • ejs: evaluate a javascript code • evb: evaluate a VBscript code • uis: unInstall • ins: install • rins: reset the persistence mechanism • ruis: remove the persistence • sins: open addStartup • suis: open removeStartup • int.g: send C2 sleepTime • int.s: set sleepTime , • sdn: Load a .NET dll(in new versions) Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 09 Then there is an if-else loop related to plugins. These plugins are used to maintain the implant easily: (Fig 13.) (Fig 14.) • sh: ShortcutPlugin • as: AssociationPlugin • jv: JavaInstallPlugin • pr: ProcessPlugin. • fi: FilePlugin • do: DownloadPlugin • sp: ScreenPShellPlugin • cn: ShellPlugin • in: InvokePlugin Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 10 How does this implant work? Let’s now look at plugins of older versions: After creating RAT configuration, the first function run by the implant is “init”. This will create an identification string for the victim machine where it gathers system information and stores them into the HT[‘ID’] variable. This ID is filled up with: And it is separated by Delimiter. This implant then moves in an endless loop in which it calls the above “receive” function every 5 seconds. This function basically allows the attacker to communicate and coordinate with the malware. The malware connects to the C2 and fetches a string indicating the command to be executed into the “l[0x0]” variable. This l[0x0] variable can contain either commands or plugins, which are discussed above. (Fig 15.) (Fig 16.) • OSVersion • OSCaption • tag • ScriptName • VolumeSerial • UUID • Computername • Username 1. InfoPlugin: Infoplugin is used along with a function receiver that is used to interpret commands from C2. Basically this plugin is used to collect and send victim machine info to C2. Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 11 (Fig 17.) (Fig 18.) (Fig 19.) • fi.nd: Open File createFolderEx • fi.ren: Open File rename • fi.e: Execute a file through Wsh etc.. • fi.del: Open File removeEx • fi.cp: Open File copyEx • fi.mv: Open File moveEx 2. File plugin: Perform all file system operations. 3. ProcessPlugin: This plugin collects processing information. It also creates or terminates a process by calling the process-related functions. 4. ScreenPShellPlugin: Perform mouse and keyboard operations using PowerShell scripts. 1. InfoPlugin: Infoplugin is used along with a function receiver that is used to interpret commands from C2. Basically this plugin is used to collect and send victim machine info to C2. Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 12 With additional functionality, these files are around three MB in size. There is an inclusion of DotUtil functions that enables it to download and execute .NET assemblies in memory. The method “hasDotnet” discussed earlier also hints about .NET relation with JS. (Fig 20.) (Fig 21.) Plugins in new versions: 5. ShellPlugin: The “ShellExecute” option uses the ShellExecute method present in the object of Shell Application. ShellExecute should be called if the user has admin privileges. When the command fails, it attempts to disable AntiSPYware of Windows Defender from the Registry. If the user is not an Admin, ShellExecute is attempted with elevated permissions using the 'runas' flag (source). The “get output” option uses the Run method present in the object of WScript.Shell. The output is stored in a local file. Furthermore, it collects the user's keyboard language/code page in order to format the output properly. Upon execution, the malware communicates with C2, which responds with a PowerShell script that captures the screenshot and saves it to a temp directory. There have been previous reports of the same PowerShell script being used in attacks against banks in the UK. Here is the PowerShell script: https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/ libDotJs.dll is downloaded, which has the actual code related to the DotUtil Functions. We have fetched the libDotJS.dll module by intercepting the memory of wscript.exe using x64.dbg. Looking into CFF Explorer Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 13 Given below are DotUtil functions. In the above DotUtil functions, given below is the most important one (Create Instance): (Fig 22.) (Fig 23.) 5. ShellPlugin: The “ShellExecute” option uses the ShellExecute method present in the object of Shell Application. ShellExecute should be called if the user has admin privileges. When the command fails, it attempts to disable AntiSPYware of Windows Defender from the Registry. If the user is not an Admin, ShellExecute is attempted with elevated permissions using the 'runas' flag (source). The “get output” option uses the Run method present in the object of WScript.Shell. The output is stored in a local file. Furthermore, it collects the user's keyboard language/code page in order to format the output properly. Upon execution, the malware communicates with C2, which responds with a PowerShell script that captures the screenshot and saves it to a temp directory. There have been previous reports of the same PowerShell script being used in attacks against banks in the UK. Here is the PowerShell script: Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 14 All the functions can be seen in its strings. (Fig 24.) (Fig 25.) Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 15 Using dnspy for a clear picture, we can clearly see that there is a complete mapping of Dotnet modules of the below dll and the ones declared in DotUtil component of the malicious JavaScript (Fig 26.) (Fig 27.) Let’s now look into Plugins: 1. Activity Plugin: This plugin enables the RAT to be in Online or Offline state. An adodb.stream object is created when the state is online to save the download ed/collected data. This plugin (infact all the plugins) is used along with function receive that is used to interpret commands from C2. Based on the commands the states are changed by calling corresponding “Activity” Functions through a switch-case. Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 16 (Fig 28.) (Fig 29.) (Fig 30.) (Fig 31.) 1. Activity Plugin: This plugin enables the RAT to be in Online or Offline state. An adodb.stream object is created when the state is online to save the download ed/collected data. This plugin (infact all the plugins) is used along with function receive that is used to interpret commands from C2. Based on the commands the states are changed by calling corresponding “Activity” Functions through a switch-case. 2. CensorMiniPlugin: Enables/disables proxy settings on user machine by modifying registry key “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable” switch-case. 3. AdminConsolePlugin: This plugin changes the authentication level using “winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2”. It uses command “select * from win32_logicaldisk” and queries drive size,freespace etc. 4. ClipboardPlugin: : It is used to copy the clipboard data and send it over C2. It can also modify clipboard data. 5. DnsPlugin: I: It is used to send current DNS info to c2 . It can also be used to set a DNS path. Add or modify new path in C:\Windows\System32\drivers\etc\hosts (source) https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/ 6. Multiviewplugin: Has Quality and scaling info. Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 17 (Fig 32.) (Fig 33.) 2. CensorMiniPlugin: Enables/disables proxy settings on user machine by modifying registry key “Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable” switch-case. 3. AdminConsolePlugin: This plugin changes the authentication level using “winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2”. It uses command “select * from win32_logicaldisk” and queries drive size,freespace etc. 4. ClipboardPlugin: : It is used to copy the clipboard data and send it over C2. It can also modify clipboard data. 5. DnsPlugin: I: It is used to send current DNS info to c2 . It can also be used to set a DNS path. Add or modify new path in C:\Windows\System32\drivers\etc\hosts (source) (Fig 34.) 7. LibraryPlugin: Sends a list of the Dotnet versions installed on the system to C2. 8. OutlookPlugin: It accesses the Outlook account details, and contacts list and sends it over C2 9. PriviledgePlugin: In this, the option “UAC” allows to write in registry location “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\” (source) by setting value 0 for keys EnableLUA and ConsentPromptBehaviorAdmin. The option “elevateScript” executes the script using wscript.exe with the batch mode option. The option “elevateCommand” executes commands using Wsh with the ‘runas’ flag. It also has options for using UAC bypass techniques like fodhelper.exe, Slui File Handler Hijacking, CompMgmtLauncher, EventViewer.exe etc. https://www.seqrite.com/blog/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/ 13. RecoveryPlugin: Used for the recovery of user password configurations 14. TokensPlugin: Steal OTP received from SymantecVIP application. Apart these there are few interesting methods also: P object: Used to fetch information related to volume serial, resolution,physical memory info etc Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 18 (Fig 35.) (Fig 36.) (Fig 37.) 7. LibraryPlugin: Sends a list of the Dotnet versions installed on the system to C2. 8. OutlookPlugin: It accesses the Outlook account details, and contacts list and sends it over C2 9. PriviledgePlugin: In this, the option “UAC” allows to write in registry location “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\” (source) by setting value 0 for keys EnableLUA and ConsentPromptBehaviorAdmin. The option “elevateScript” executes the script using wscript.exe with the batch mode option. The option “elevateCommand” executes commands using Wsh with the ‘runas’ flag. It also has options for using UAC bypass techniques like fodhelper.exe, Slui File Handler Hijacking, CompMgmtLauncher, EventViewer.exe etc. 10. PromptPlugin: This plugin allows the attacker to show his victim a custom message prompt sent by C2. 11. ProxyPlugin: Sets DNS path. Add or modify a new path in C:\Windows\System32\drivers\etc\hosts. (source) 12. ShortcutPlugin: Generate shortcut files for given executables. Run the shortcut file. You can either get the target of a shortcut file or dump its content. https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/ 15. Network drives: Dumps info related to network drives. 16. Message bag: Used to give flash messages to the victim After dropping old versions, a new version is dropped (updated) in a few cases, which leads to Netwire RAT. Last year we published our research about Java-based Adwind RAT (https://www.seqrite.com/blog/java-rat-campaign-targets-co-operative-banks-in-i ndia/) in which a jar file was the main component Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies White Paper 19 (Fig 38.) (Fig 39.) (Fig 40.) (Fig 41.) 10. PromptPlugin: This plugin allows the attacker to show his victim a custom message prompt sent by C2. 11. ProxyPlugin: Sets DNS path. Add or modify a new path in C:\Windows\System32\drivers\etc\hosts. (source) 12. ShortcutPlugin: Generate shortcut files for given executables. Run the shortcut file. You can either get the target of a shortcut file or dump its content. Environment and HTTP objects: Furthermore, it targeted co-operative banks in India using Covid-themed attachment names of a similar double-extension format. JSOutProx and Adwind RATs have identical commands, configuration fields, and user-agent strings. It is likely that the JSOutProx RAT is linked to the same threat actor since they appear to use similar jar files as end payloads instead of initial infection vectors to evade detection We captured some attacker engagement with victims. The command “MTBffF8tMV98XzUwMA==” decodes to “ 10_|_-1_|_500 “ which was issued to capture screenshots and send them back to C2. Notice that crafted HTTP header in the request, which helps payload blend into packets as Content-Type of images. However, this was an old variant of JsOutProx. White Paper 20 Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies (Fig 42.) Network: Apparently, this attack was carried out by a Threat Actor with a financial motive. White Paper 21 They are attacking small banks, where security practices are less well-defined than those of larger institutions, thereby increasing the chance of a successful infection and a payout. While the majority of the analyzed attacks have targeted Indian banks, we have found signs of this attack in other geographies as well. As we have only limited data, it is difficult to determine if the attackers are targeting any particular country. Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies Conclusion Our clients are advised to apply updates regularly and ensure that their employees are aware of such types of attacks. White Paper 22 Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies Based on our Threat Intelligence: MITRE ATT&CK: The attackers are linked to other organizations. Hackers launder money outside India. mplant JsOutProx have capabilities similar to FIN-7 APT's Carbanak. Carbanak shared the same goals and was designed to perform similar tasks. Obfuscation System Information Discovery Exfiltration Over C2 Channel Persistence: Startup/Registry Keys Command And Control (C2) MSHTA Execution WSCRIPT Execution Phishing: Spear Phishing Attachment T1313 T1082 T1041 T1060 TA0011 , T1001, T1132.001 T1218.005 T1059.007 T1566.001 06396c2f1ac27f7a453d9461ad1af8a6 : New version 3C9F664193958E16C9C89423AEFCB6C8: Old Version 9AED11D78DD7ECF5331360011B0EA9A8: DotUtil.Library.Cs.dll c4aa2b901d6bb29dff4e227362a032c6 b308874f65c78ddecd335ce5d83246d3 71bb3e4d16b4310e9d9d23057d49987a 1d9056f9ebde111dc7f6af12727985e8 0c7e3f6d22e5de96f4bf4d604a663968 57b0fb87a0e95cefd7582e3345ca4d20 7aaa51d0d6566cb7829d6d58361ee30f 1ed75d4c96c4c7bfc1c9140ac1f18567 04b2d333339b3b52e248ccb9ea761118 5e20c14bf6d5b4d1977a4c03f5a3ec0f 00c03e7a44b93910a9e30a4080dd6b29 025da995f8f6920eb077e44f3469742d 06117083f64d96135287c10b7a773f13 06186d4b79c1d9e025621c94318c3729 18746a6df8bca70d22d864f217df9112 295d8fb6c515551f7d632add21b450e1 32025fad1e9bf48297266a2bad41dd25 48adcbbc3ec003101b4a2bb0aa5a7e01 4ff53e2087cd0d288506389d67d1c046 5111740d2eb8a8201231cb0e312db88a 5b2b4f989f684e265b03f8334576a20c 5d16911fe4bcc7d6a82c79b88e049af2 61624005ee9539f39fe61e4453393db5 64b8a83f291e90b551c43539c1cf2ae0 6e52e6165ed8c41b05e518b55ae3da2e 7e64550587ee21f4fbcc79a553ab0fa6 848c9a8463a337eeb21a5b4650dc0215 84b194b521afd8fef39552e5330d59f4 91b0d69e988be9bd1c9eabb0d5ba1f45 988d384c68c95d28e67d6b8edaf2ebe5 bec6094a74e102a8d18630ee0eb053e3 c6633929d10601c635fe9b67cf645c93 d63e19f5221457c38bc3b4d7340e0f82 d6b0f21dd46f11f64bf67effa36cea94 d743f6bea36a000eb2464cfa5c4aed70 f3dd5d2eb2829ddf395eab3e231c59ff 5dd3361225ceee07852ec30436eefab4 66e44095b5b654752995aa06405dd450 f9a070a623788a4ecb2c7940291301b9 61c5edbd2974259f9b39ab24a89b7ef2 212b13a43a5d167dda1a82dbb2a94fbe 3c9f664193958e16c9c89423aefcb6c8 466d99ac1ca19b8732923d0510eb8385 Multi-Staged JSOutProx RAT Targets Indian Co-Operative Banks and Finance Companies IOC Meta Description Indian Co-operative Banks and Finance Companies were targeted by Multi-Staged JSOutProx RAT group to steal sensitive data. Multiple payloads were being dropped at different stages of the spear-phishing operation. Click here to read more. Website Paragraph Indian Co-operative Banks and Finance Companies were targeted by Multi-Staged JSOutProx RAT group to steal sensitive data. Quick Heal Security Labs has been monitoring the attack and found multiple payloads dropped at different stages of the spear-phishing operation through separate C2 domains. The malware uses spear-phishing emails with compressed attachments that have a transaction-related name. Download the extensive whitepaper on the topic to know more. Quick Heal Technologies Ltd. Marvel Edge, Office No. 7010 C & D, 7th Floor, Viman Nagar, Pune, Maharashtra, India - 411014. Phone: 1800 212 7377 | info@seqrite.com | www.seqrite.com All Intellectual Property Right(s) including trademark(s), logo(s) and copyright(s) are properties of their respective owners. www.seqrite.com