When it comes to tool consolidation, focus on platforms over products. Read More
Related Posts
AT&T says leaked data of 70 million people is not from its systems
AT&T says leaked data of 70 million people is not from its systems
AT&T says a massive trove of data impacting 71 million people did not originate from its systems after a hacker leaked it on a cybercrime forum and claimed it was stolen in a 2021 breach of the company. […] Read More
BleepingComputer
.webp)
JsOutProx Malware Abusing GitLab To Attack Financial Institutions
JsOutProx Malware Abusing GitLab To Attack Financial Institutions
[[{“value”:”
GitLab is a prominent web-based Git repository manager that is exploited by hackers to gain unauthorized access to confidential source code, steal intellectual property or insert malicious code into projects that are hosted on GitLab.
Gitlab’s software vulnerabilities or misconfigurations in their deployment can serve as an initial point of an attack from which the whole system can be breached and other networks or systems connected to this one could be targeted.
A new variation of JSOutProx emerged as a stealthy attack framework that combines JavaScript and .NET components.
It is aimed at financial institutions in the APAC and MENA areas, using .NET serialization to foster malicious JavaScript code on compromised systems.
This modular malware, which SOLAR SPIDER has initially associated with phishing campaigns since 2019, can also incorporate plugins meant for malicious actions after an initial intrusion.
JsOutProx Malware Abusing GitLab
A surge in activity was detected around February 8, 2024, when a Saudi Arabian system integrator reported an incident targeting the customers of a major regional bank.
Document
Run Free ThreatScan on Your Mailbox
AI-Powered Protection for Business Email Security
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
The campaign impersonated “mike.will@my[.]com” and employed fake SWIFT/Moneygram payment notifications to deliver malicious payloads.
Besides this, Resecurity aided multiple victims through DFIR engagements, recovering the malware used in these impersonation attacks aimed at banking customers across enterprises and individuals.
Initially reported in November 2023, Solar Spider has hosted payloads on GitHub repositories. But for JavaScript code, instead of that, they use PDF files to make their malware look like.
The group shifted from a preference for GitHub to GitLab repositories when Resecurity discovered a new sample from this group utilizing GitLab repositories on March 27, 2024, designed as a multi-stage infection chain.
Activity detected (Source – Resecurity)
On the 25th of March, 2024, several GitLab accounts that belonged to this actor were registered to host malicious payloads in repositories such as “docs909” (established on April 2) and “dox05” (established on March 26).
This rotating repository tactic probably assists in maintaining different payloads for various victims.
After delivering the malware successfully, the actor deletes the repository and opens another.
It is noteworthy that Resecurity secured the latest payloads uploaded on April 2nd, 2024, throwing light upon a developing GitLab campaign.
Recent malware payloads uploaded (Source – Resecurity)
To detect, prevent, and mitigate JSOutProx RAT malware that has hidden JavaScript backdoors, which are not easy to understand, and contains modules with command execution capacity, file operations capability, persistence mechanisms, screen capturing functionalities, and system control.
One exceptional point is how it employs the Cookie header while communicating with C2s.
Resecurity downloaded the deobfuscated implants from archived payloads, and its analysts found some decoded JavaScript codes for further analysis and defensive measures.
The first stage implant has functionalities that allow it to update, set proxy/sleep times, execute processes, evaluate JavaScript, and exit.
It interacts with ActiveXObject, a Windows Script Host object used for malicious automation tasks. The second stage adds other plug-ins that broaden the malware’s range of functions.
Moreover, the continuously evolving malware exhibits an organized development effort, attacking high-profile victims in government and finance sectors with customized lures.
Is Your Network Under Attack? – Read CISO’s Guide to Avoiding the Next Breach – Download Free Guide
The post JsOutProx Malware Abusing GitLab To Attack Financial Institutions appeared first on Cyber Security News.
“}]] Read More
Cyber Security News
Researchers Identify Multiple China Hacker Groups Exploiting Ivanti Security Flaws
Researchers Identify Multiple China Hacker Groups Exploiting Ivanti Security Flaws
[[{“value”:”Multiple China-nexus threat actors have been linked to the zero-day exploitation of three security flaws impacting Ivanti appliances (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893).
The clusters are being tracked by Mandiant under the monikers UNC5221, UNC5266, UNC5291, UNC5325, UNC5330, and UNC5337. Another group linked to the exploitation spree is UNC3886.
The Google Cloud”}]] Read More
The Hacker News | #1 Trusted Cybersecurity News Site