JsOutProx Malware Manipulation of GitLab to Target Financial Services Organizations

GitLab is a popular web-based Git repository manager. Mostly, hackers use it to obtain unauthorized access to private source code and steal proprietary information. Besides, it also enables them to implant harmful code into projects hosted on GitLab.

The software flaws of GitLab or error messages during deployment can serve as the starting point for an attack. It allows the entire system to be compromised and additional networks or systems linked to it to be attacked.

A new version of JSOutProx has been developed as a covert assault toolkit. The best part is that it mixes JavaScript and .NET components.

It is focused on financial organizations in APAC and MENA. Furthermore, it uses.NET serialization to install fake JavaScript scripts on infected computers.

This modular malware, which SOLAR SPIDER first identified with phishing attacks in 2019. Additionally, it can also include plugins designed for harmful behaviors after an initial infection.

JsOutProx Malware Abusing GitLab

A spike in activity was discovered around February 8, 2024. It was the time when a Saudi system integrator reported an attack. The attack was aimed against the clients of a large regional bank.

The campaign impersonated "mike.will@my[.]com." Later on, it sent malware payloads via phony SWIFT/Moneygram payment notifications.

Aside from that, Resecurity assisted multiple aggressors through DFIR obligations. It allows them to extract the malware employed in these fraudulent attempts. The surprising thing is that these attempts were concerned with banking clients in companies and individuals.

Solar Spider was first discovered in November 2023. It has served up payloads on GitHub projects. However, instead of using JavaScript code, they employ PDF files to disguise their virus.

On March 27, 2024, Resecurity detected an additional specimen from this organization. After some time, it was used by GitLab repositories. Apart from this, it was built as a multiple-phase infection chain.



On March 25, 2024, this actor's GitLab accounts were established. The main purpose of their creation was to host harmful payloads in projects such as "docs909" (created on April 2) and "dox05" (formed on March 26).

This rotating repository strategy likely aids in the maintenance of varied payloads for diverse victims.

After successfully deploying the virus, the actor deletes one repository and creates another.

It is significant that Resecurity protected the most recent payloads submitted on April 2nd, 2024. Along with this, it also sheds insight into a growing GitLab effort.

To detect, block, and neutralize

 JSOutProx RAT malware contains concealed JavaScript backdoors. So, it is not easy to detect, block, and neutralize them as you are thinking of. To be honest, they are difficult to grasp and include modules. These modules involve command execution, file operations, retention mechanisms, screen-capturing capabilities, and system control.

One notable feature is how it uses the Cookie header while talking with C2s.

Resecurity obtained the deobfuscated infections from archived payloads. And its analysts discovered certain decoded JavaScript scripts for additional investigation and defense measures.

The first stage implant includes functionality for updating and setting proxy/sleep times. Plus, it is also a connection with executing processes, evaluating JavaScript, and exiting.

It communicates with ActiveXObject, a Windows Script Host object. It was used in malicious automation operations. The second stage introduces additional plug-ins that expand the malware's functionality.

Furthermore, the constantly developing virus demonstrates a concerted development effort. It targets high-profile victims in the government and banking sectors with tailored lures.