Indian Banks and Finance Companies Targeted by Multi-Staged RAT

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Quick Heal Security Labs has revealed it has been noticing JSOutProx RAT-based cybersecurity attacks on Indian SMBs in the Banking and Finance sector since early 2021. This is a JScript-based RAT stored on a target device as a .hta file and first executed by the mshta.exe process.

The first mode of infection is via a spear-phishing email with a “.hta” compressed attachment named for a financial transaction. These hold a double-extension-like format, for example, “_pdf.zip”, “_xlsx.7z”, “_xls.zip”, “_docx.zip”, “_eml.zip”, “_jpeg.zip”, “_txt.zip” etc.

The RAT itself is a 2019 discovery in the cybersecurity space where it has grown since then to include new functions, commands, and process obfuscation. Now, this also includes over 1 MB of obfuscated code, base64-like string array sets, configuration data for malware executables, and rc4 string decryption functions. Meanwhile, the concealment pattern remains similar across all versions and both stages.

According to Quick Heal’s official statement, the infection is delivered in two phases. The first has a very elementary and limited functioning version, further bolstered by a second phase payload delivery. The first phase usually targets low-access privilege individuals in a small-scale BFSI business and then uses their contacts directory entries to proliferate the infection further.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,042
Both SWH and HC covers this I believe, right? @Andy Ful?

Yes.

The initial attack vector is a spear-phishing email with a compressed attachment having a “.hta” file with a file name related to a financial transaction.

The HTA files are blocked in UserSpace.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top