W H I T E
###### PAPER

## Multi-Staged JSOutProx RAT
##### Targets Indian Co-Operative Banks and Finance Companies

**Author**
Chaitanya Haritash


-----

**Executive Summary**


Since early 2021, Quick Heal Security Labs has been monitoring various attack
campaigns using JSOutProx malware, which is a highly obfuscated & complex
JavaScript JavaScript-based RAT. Most of these attacks are targeted against
different small and medium businesses in the Banking and Financial sectors. Similar
campaigns related to this malware have also been previously reported from other
countries. But, these attacks which are targeting Indian companies are being
[operated from separate C2 servers. We have previously published a blog in October](https://www.seqrite.com/blog/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/)
2021 that emphasized malware and its different stages.

In this paper, we will go a little deeper into the different versions of the malware and
how it targets Indian companies.


-----

**Initial Access:**


(Fig.1 - Phishing Email)

The Initial Infection starts with an email which brings in a malicious compressed
archive containing a JavaScript file. This file is the actual JsOutProx payload.
We have analyzed multiple .eml files from this campaign. Most of them had either:

- Header with a spoofed email of the sender or

JavaScript

- Were compromised to make it look more legitimate and convincing to the
victim.

This is a general tactic used by attackers in spam campaigns.

(Fig 2. ZoomEye record about IMAP Server)


-----

In 2020, an Attacker used IMAP belonging to “192.188.88.116” to send bulk spam
emails to its targets.

JSOutProx is a highly obfuscated, complex JavaScript based RAT. We have been
monitoring this attack campaign since December 2019 and finding its activity even
today.

 - This JavaScript code is approximately 1 MB in size.

 - Looking into the code, there is a variable with a long array of around 28k values in it.

 - This occupies almost a quarter of the file size.

 - This array consists of base64 kind of data, but on decryption, we get junk.

JavaScript

(Fig 3.)

The data is de-obfuscated by passing in the form of function (z, w) [e.g.: HJ('0x61fe',
Z8L5') ] where z refers to the index of the value in “H array” and w refers to RC4
decryption key.

The actual decoding function is hidden in variable r. The data is base64 decoded
and RC4 decrypted at the time of execution.

(Fig 4.)


-----

(Fig 5.)

This RAT can be run as a JavaScript file on the command line, or as a .HTA file inside
a window (mshta.exe). If it is running from inside a window, the RAT hides the
window by resizing it to 0*0 pixels (height*width). Apart from that, it also moves it
away from the viewable part of the screen.

JavaScript

(Fig 6.)

Moving forward, there is a HT object being initialized

(Fig 7.)

Setting the breakpoint and adding a watch to HT we can clearly see how it got
de-obfuscated.


-----

(Fig 8.)

JavaScript

(Fig 9.)

Methods (Offensive capabilities) can also be seen:

(Fig 10.)


-----

(Fig 11.)

Let’s now focus on what is all this. Ht object basically has a configuration for the
malware. A few interesting fields in the configuration include (fig below):
















The "BaseUrl" field points to the C2 domain and port number via the HTTP
protocol. “Hxxp[:]//gensamogh.myq-see.com:9059/” (source)

While downloading plugins and assemblies from C2, the "Password" field is
used. “"vruxcvdfmopd123"”

”Tag” field contains a campaign ID. "macxr". Initially, it was JSOutprox.JavaScript

“Startdate” is about the starting date of infection. “Mon Dec 13 16:22:14
**UTC+0530 2021”**

Delimiter is used as a separator by the malware while exfiltrating data. "_|_"

“ViewOnly” allows the attacker to monitor the victim to gather victim info
and not write or execute anything on the machine.

Fs: Uses Scripting File system Object to gain read/write privileges

Wsh: Uses Wscript. Shell Object to execute Wscript files

Sh: It uses Shell.Application object to execute command line applications

InstallDir : Contains the location for installation of malware

Sleeptime: Delaying the execution of malware

IDPrefix: This is used as a prefix when data is sent over C2

ProxyActions: Indicates if malware is a proxy for any other process


-----

(Fig 12.)


**How is the configuration varying in different versions?**


The configuration is almost the same in all versions, with few changes.

1. Base URL changes in different versions. Given below are the C2 found among
all the versions.



- marcelbosgath.zapto.org:9790

- ruppamoda.zapto.org:9099

- apatee40rm.gotdns.ch:9897

- mathepqo.serveftp.com:9059

- protogoo.ddnsking.com:9081

- riyaipopa.ddns.net:9098



- dirrcharlirastrup.gotdns.ch:8037

- uloibdrupain.hopto.org:8909

- gensamogh.myq-see.com:9059

- cccicpatooluma.hopto.org:5090

- feednet.myftp.biz:6093


JavaScript

2. Tag which denotes the Campaign ID also changes. Few common ones found
were: pod, kmewsx, macxr etc
3. IDPrefix also varies. Few of them are: okdh=, ivcbshs=, _ybj= etc
4. In the latest versions, the following fields have been observed:



- IsDonetInstalled

- IsAMSI



- Net

- IsEncrypted


-----

### Plugins


**Plugins:**


This malware has various plugins to perform various operations such as
exfiltration of data, performing file system operations etc. Apart from that, it also
has various methods with offensive capabilities that perform various operations.


**Methods:**


A few interesting methods (can be seen in Fig 10 and Fig 11) are:

1. getUuid : Gets the UUID of the machine
remove Startup: Remove startup entries(persistence mechanism) if any

2. userName :Get the username of the victim's machines
Process(list): To list down all the processes which are running
3. receive: interpret commands received from C2. These commands are written in
the form of a switch case. Given below are a few commands:



- fnm: Sends the scriptfullname to C2.

- dvo: set to View only

- pat: Update the implant

- uss.s: Set proxy actions and update sleep time

- upd: Update and restart the implant

- rst: Restart

- rmz: Set the zoneidentifier

- l32: open launch ScriptFullName

- l64: open launch scriptFullName

- dcn: exit

- rbt: reboot the victim’s machine

- shd: shutdown the victim's machine



- lgf: disconnect

- ejs: evaluate a javascript code

- evb: evaluate a VBscript code

- uis: unInstall

- ins: install

- rins: reset the persistence mechanism

- ruis: remove the persistence

- sins: open addStartup

- **suis: open removeStartup**

- int.g: send C2 sleepTime

- int.s: set sleepTime,

- sdn: Load a .NET dll(in new versions)


-----

(Fig 13.)

Then there is an if-else loop related to plugins. These plugins are used to maintain
the implant easily:



- fi: FilePlugin

- do: DownloadPlugin

- sp: ScreenPShellPlugin

- cn: ShellPlugin

- in: InvokePlugin



- sh: ShortcutPlugin

- as: AssociationPlugin

- jv: JavaInstallPlugin

- pr: ProcessPlugin.


(Fig 14.)


-----

**How does this implant work?**


After creating RAT configuration, the first function run by the implant is “init”.

(Fig 15.)

This will create an identification string for the victim machine where it gathers
system information and stores them into the HT[‘ID’] variable. This ID is filled up
with:



- VolumeSerial

- UUID

- Computername

- Username



- OSVersion

- OSCaption

- tag

- ScriptName


And it is separated by Delimiter.

This implant then moves in an endless loop in which it calls the above “receive”
function every 5 seconds. This function basically allows the attacker to

communicate and coordinate with the malware.

The malware connects to the C2 and fetches a string indicating the command to
be executed into the “l[0x0]” variable. This l[0x0] variable can contain either
commands or plugins, which are discussed above.


**Let’s now look at plugins of older versions:**


1. InfoPlugin: Infoplugin is used along with a function receiver that is used to
interpret commands from C2. Basically this plugin is used to collect and send
victim machine info to C2.

(Fig 16.)


-----

2. File plugin: Perform all file system operations.



- fi.del: Open File removeEx

- fi.cp: Open File copyEx

- fi.mv: Open File moveEx



- fi.nd: Open File createFolderEx

- fi.ren: Open File rename

- fi.e: Execute a file through Wsh etc..


(Fig 17.)

3. ProcessPlugin: This plugin collects processing information. It also creates or
terminates a process by calling the process-related functions.

(Fig 18.)

4. ScreenPShellPlugin: Perform mouse and keyboard operations using
PowerShell scripts.

(Fig 19.)


-----

5. ShellPlugin: The “ShellExecute” option uses the ShellExecute method present
in the object of Shell Application. ShellExecute should be called if the user has
admin privileges. When the command fails, it attempts to disable AntiSPYware
of Windows Defender from the Registry. If the user is not an Admin,
ShellExecute is attempted with elevated permissions using the 'runas' flag
[(source). The “get output” option uses the Run method present in the object of](https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/)
WScript.Shell. The output is stored in a local file. Furthermore, it collects the
user's keyboard language/code page in order to format the output properly.

Upon execution, the malware communicates with C2, which responds with a
PowerShell script that captures the screenshot and saves it to a temp
directory. There have been previous reports of the same PowerShell script
being used in attacks against banks in the UK. Here is the PowerShell script:

(Fig 20.)


**Plugins in new versions:**


With additional functionality, these files are around three MB in size. There is an
inclusion of DotUtil functions that enables it to download and execute .NET
assemblies in memory. The method “hasDotnet” discussed earlier also hints
about .NET relation with JS.

(Fig 21.)


-----

Given below are DotUtil functions.

(Fig 22.)

In the above DotUtil functions, given below is the most important one (Create
Instance):

(Fig 23.)

libDotJs.dll is downloaded, which has the actual code related to the DotUtil
Functions.

We have fetched the libDotJS.dll module by intercepting the memory of
wscript.exe using x64.dbg. Looking into CFF Explorer


-----

(Fig 24.)

All the functions can be seen in its strings.

(Fig 25.)


-----

Using dnspy for a clear picture, we can clearly see that there is a complete
mapping of Dotnet modules of the below dll and the ones declared in DotUtil
component of the malicious JavaScript

(Fig 26.)


**Let’s now look into Plugins:**


1. Activity Plugin: This plugin enables the RAT to be in Online or Offline state. An
adodb.stream object is created when the state is online to save the download
ed/collected data. This plugin (infact all the plugins) is used along with function
receive that is used to interpret commands from C2. Based on the commands
the states are changed by calling corresponding “Activity” Functions through a
switch-case.

(Fig 27.)


-----

2. CensorMiniPlugin: Enables/disables proxy settings on user machine by
modifying registry key “Software\Microsoft\Windows\CurrentVersion\Internet
Settings\ProxyEnable” switch-case.

(Fig 28.)

3. AdminConsolePlugin: This plugin changes the authentication level using
“winmgmts:{impersonationLevel=impersonate}!\\.\root\cimv2”. It uses
command “select * from win32_logicaldisk” and queries drive size,freespace etc.

(Fig 29.)

4. ClipboardPlugin: : It is used to copy the clipboard data and send it over C2. It
can also modify clipboard data.

(Fig 30.)

5. DnsPlugin: I: It is used to send current DNS info to c2 . It can also be used to set
a DNS path. Add or modify new path in C:\Windows\System32\drivers\etc\hosts
[(source)](https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/)

(Fig 31.)


-----

6. Multiviewplugin: Has Quality and scaling info.

(Fig 32.)

7. LibraryPlugin: Sends a list of the Dotnet versions installed on the system to C2.

8. OutlookPlugin: It accesses the Outlook account details, and contacts list and
sends it over C2

(Fig 33.)

9. PriviledgePlugin: In this, the option “UAC” allows to write in registry location
[“SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\” (source) by](https://www.seqrite.com/blog/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/)
setting value 0 for keys EnableLUA and ConsentPromptBehaviorAdmin. The
option “elevateScript” executes the script using wscript.exe with the batch
mode option. The option “elevateCommand” executes commands using Wsh

with the ‘runas’ flag. It also has options for using UAC bypass techniques like
fodhelper.exe, Slui File Handler Hijacking, CompMgmtLauncher,
EventViewer.exe etc.

(Fig 34.)


-----

10. PromptPlugin: This plugin allows the attacker to show his victim a custom
message prompt sent by C2.

(Fig 35.)

11. ProxyPlugin: Sets DNS path. Add or modify a new path in
[C:\Windows\System32\drivers\etc\hosts. (source)](https://blogs.quickheal.com/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies/)

12. ShortcutPlugin: Generate shortcut files for given executables. Run the
shortcut file. You can either get the target of a shortcut file or dump its content.

(Fig 36.)

13. RecoveryPlugin: Used for the recovery of user password configurations

14. TokensPlugin: Steal OTP received from SymantecVIP application.

(Fig 37.)

Apart these there are few interesting methods also:

P object: Used to fetch information related to volume serial, resolution,physical
memory info etc


-----

(Fig 38.)

15. Network drives: Dumps info related to network drives.

(Fig 39.)

16. Message bag: Used to give flash messages to the victim

(Fig 40.)


**Environment and HTTP objects:**


(Fig 41.)

After dropping old versions, a new version is dropped (updated) in a few cases,
which leads to Netwire RAT. Last year we published our research about
Java-based Adwind RAT
(https://www.seqrite.com/blog/java-rat-campaign-targets-co-operative-banks-in-i
ndia/) in which a jar file was the main component


-----

Furthermore, it targeted co-operative banks in India using Covid-themed
attachment names of a similar double-extension format. JSOutProx and Adwind
RATs have identical commands, configuration fields, and user-agent strings. It is
likely that the JSOutProx RAT is linked to the same threat actor since they appear
to use similar jar files as end payloads instead of initial infection vectors to evade
detection


**Network:**


(Fig 42.)

We captured some attacker engagement with victims. The command
“MTBffF8tMV98XzUwMA==” decodes to “ 10_|_-1_|_500 “ which was issued to
capture screenshots and send them back to C2.

Notice that crafted HTTP header in the request, which helps payload blend into
packets as Content-Type of images. However, this was an old variant of
JsOutProx.


-----

# Conclusion


#### Apparently, this attack was carried out by a Threat Actor with a financial motive.


They are attacking small banks,

where security practices are less

well-defined than those of larger

institutions, thereby increasing

the chance of a successful

infection and a payout.


While the majority of the
analyzed attacks have targeted
Indian banks, we have found
signs of this attack in other
geographies as well. As we have
only limited data, it is difficult to
determine if the attackers are
targeting any particular country.


-----

**Based on our Threat Intelligence:**


**mplant JsOutProx have**
**capabilities similar to**

**Hackers launder** **FIN-7 APT's Carbanak.**
**money outside** **Carbanak shared the**

**same goals and was**

**India.**

**designed to perform**
**similar tasks.**


**mplant JsOutProx have**
**capabilities similar to**

**Hackers launder** **FIN-7 APT's Carbanak.**
**money outside** **Carbanak shared the**

**same goals and was**

**India.**

**designed to perform**
**similar tasks.**


Our clients are advised to apply updates regularly and ensure that their
employees are aware of such types of attacks.


**The attackers are** **Hackers launder**
**linked to other** **money outside**
**organizations.** **India.**


**MITRE ATT&CK:**


**The attackers are** **Hackers launder**
**linked to other** **money outside**
**organizations.** **India.**


Obfuscation


T1313


System Information Discovery


T1082


Exfiltration Over C2 Channel


T1041


Persistence: Startup/Registry Keys


T1060


Command And Control (C2)


TA0011, T1001, T1132.001


MSHTA Execution


T1218.005


WSCRIPT Execution


T1059.007


Phishing: Spear Phishing Attachment


T1566.001


-----

**IOC** **Meta Description**


06396c2f1ac27f7a453d9461ad1af8a6 : New version

3C9F664193958E16C9C89423AEFCB6C8: Old Version

9AED11D78DD7ECF5331360011B0EA9A8:
DotUtil.Library.Cs.dll

c4aa2b901d6bb29dff4e227362a032c6

b308874f65c78ddecd335ce5d83246d3

71bb3e4d16b4310e9d9d23057d49987a

1d9056f9ebde111dc7f6af12727985e8

0c7e3f6d22e5de96f4bf4d604a663968

57b0fb87a0e95cefd7582e3345ca4d20

7aaa51d0d6566cb7829d6d58361ee30f

1ed75d4c96c4c7bfc1c9140ac1f18567

04b2d333339b3b52e248ccb9ea761118

5e20c14bf6d5b4d1977a4c03f5a3ec0f

00c03e7a44b93910a9e30a4080dd6b29

025da995f8f6920eb077e44f3469742d

06117083f64d96135287c10b7a773f13

06186d4b79c1d9e025621c94318c3729

18746a6df8bca70d22d864f217df9112

295d8fb6c515551f7d632add21b450e1

32025fad1e9bf48297266a2bad41dd25

48adcbbc3ec003101b4a2bb0aa5a7e01

4ff53e2087cd0d288506389d67d1c046

5111740d2eb8a8201231cb0e312db88a

5b2b4f989f684e265b03f8334576a20c

5d16911fe4bcc7d6a82c79b88e049af2

61624005ee9539f39fe61e4453393db5

64b8a83f291e90b551c43539c1cf2ae0

6e52e6165ed8c41b05e518b55ae3da2e

7e64550587ee21f4fbcc79a553ab0fa6

848c9a8463a337eeb21a5b4650dc0215

84b194b521afd8fef39552e5330d59f4

91b0d69e988be9bd1c9eabb0d5ba1f45

988d384c68c95d28e67d6b8edaf2ebe5

bec6094a74e102a8d18630ee0eb053e3

c6633929d10601c635fe9b67cf645c93

d63e19f5221457c38bc3b4d7340e0f82

d6b0f21dd46f11f64bf67effa36cea94

d743f6bea36a000eb2464cfa5c4aed70

f3dd5d2eb2829ddf395eab3e231c59ff

5dd3361225ceee07852ec30436eefab4

66e44095b5b654752995aa06405dd450

f9a070a623788a4ecb2c7940291301b9

61c5edbd2974259f9b39ab24a89b7ef2

212b13a43a5d167dda1a82dbb2a94fbe

3c9f664193958e16c9c89423aefcb6c8

466d99ac1ca19b8732923d0510eb8385


Indian Co-operative Banks and
Finance Companies were targeted
by Multi-Staged JSOutProx RAT
group to steal sensitive data. Quick
Heal Security Labs has been
monitoring the attack and found
multiple payloads dropped at
different stages of the
spear-phishing operation through
separate C2 domains. The malware

uses spear-phishing emails with
compressed attachments that have
a transaction-related name.
Download the extensive whitepaper
on the topic to know more.

Quick Heal Technologies Ltd.
Marvel Edge, Office No. 7010 C & D, 7th Floor,
Viman Nagar, Pune,
Maharashtra, India - 411014.
Phone: 1800 212 7377 | info@seqrite.com |
www.seqrite.com


Indian Co-operative Banks and
Finance Companies were targeted
by Multi-Staged JSOutProx RAT
group to steal sensitive data.
Multiple payloads were being
dropped at different stages of the
spear-phishing operation. Click here
to read more.


**Website Paragraph**


-----