Indian Banks and Finance Companies Targeted by Multi-Staged RAT

silversurfer

Level 76
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,603
71,817
Quick Heal Security Labs has revealed it has been noticing JSOutProx RAT-based cybersecurity attacks on Indian SMBs in the Banking and Finance sector since early 2021. This is a JScript-based RAT stored on a target device as a .hta file and first executed by the mshta.exe process.

The first mode of infection is via a spear-phishing email with a “.hta” compressed attachment named for a financial transaction. These hold a double-extension-like format, for example, “_pdf.zip”, “_xlsx.7z”, “_xls.zip”, “_docx.zip”, “_eml.zip”, “_jpeg.zip”, “_txt.zip” etc.

The RAT itself is a 2019 discovery in the cybersecurity space where it has grown since then to include new functions, commands, and process obfuscation. Now, this also includes over 1 MB of obfuscated code, base64-like string array sets, configuration data for malware executables, and rc4 string decryption functions. Meanwhile, the concealment pattern remains similar across all versions and both stages.

According to Quick Heal’s official statement, the infection is delivered in two phases. The first has a very elementary and limited functioning version, further bolstered by a second phase payload delivery. The first phase usually targets low-access privilege individuals in a small-scale BFSI business and then uses their contacts directory entries to proliferate the infection further.
 
Top