JsOutProx Malware Abusing GitLab To Attack Financial Institutions

GitLab is a prominent web-based Git repository manager that is exploited by hackers to gain unauthorized access to confidential source code, steal intellectual property or insert malicious code into projects that are hosted on GitLab. 

Gitlab’s software vulnerabilities or misconfigurations in their deployment can serve as an initial point of an attack from which the whole system can be breached and other networks or systems connected to this one could be targeted.

A new variation of JSOutProx emerged as a stealthy attack framework that combines JavaScript and .NET components.

It is aimed at financial institutions in the APAC and MENA areas, using .NET serialization to foster malicious JavaScript code on compromised systems.

This modular malware, which SOLAR SPIDER has initially associated with phishing campaigns since 2019, can also incorporate plugins meant for malicious actions after an initial intrusion.

JsOutProx Malware Abusing GitLab

A surge in activity was detected around February 8, 2024, when a Saudi Arabian system integrator reported an incident targeting the customers of a major regional bank.

The campaign impersonated “mike.will@my[.]com” and employed fake SWIFT/Moneygram payment notifications to deliver malicious payloads. 

Besides this, Resecurity aided multiple victims through DFIR engagements, recovering the malware used in these impersonation attacks aimed at banking customers across enterprises and individuals.

Initially reported in November 2023, Solar Spider has hosted payloads on GitHub repositories. But for JavaScript code, instead of that, they use PDF files to make their malware look like. 

The group shifted from a preference for GitHub to GitLab repositories when Resecurity discovered a new sample from this group utilizing GitLab repositories on March 27, 2024, designed as a multi-stage infection chain.

On the 25th of March, 2024, several GitLab accounts that belonged to this actor were registered to host malicious payloads in repositories such as “docs909” (established on April 2) and “dox05” (established on March 26). 

This rotating repository tactic probably assists in maintaining different payloads for various victims.

After delivering the malware successfully, the actor deletes the repository and opens another. 

It is noteworthy that Resecurity secured the latest payloads uploaded on April 2nd, 2024, throwing light upon a developing GitLab campaign.

To detect, prevent, and mitigate JSOutProx RAT malware that has hidden JavaScript backdoors, which are not easy to understand, and contains modules with command execution capacity, file operations capability, persistence mechanisms, screen capturing functionalities, and system control. 

One exceptional point is how it employs the Cookie header while communicating with C2s.

Resecurity downloaded the deobfuscated implants from archived payloads, and its analysts found some decoded JavaScript codes for further analysis and defensive measures.

The first stage implant has functionalities that allow it to update, set proxy/sleep times, execute processes, evaluate JavaScript, and exit.

It interacts with ActiveXObject, a Windows Script Host object used for malicious automation tasks. The second stage adds other plug-ins that broaden the malware’s range of functions. 

Moreover, the continuously evolving malware exhibits an organized development effort, attacking high-profile victims in government and finance sectors with customized lures.

Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide