The China-linked Solar Spider cybercriminal group recently rolled out malware targeting Saudi financial institutions, expanding from its traditional operating areas in Southeast Asia and India. Resecurity, a cybersecurity firm familiar with Solar Spider’s tactics, reported the new cyberattack campaign in early April.
Resecurity discovered that a new version of Solar Spider’s infamous JSOutProx malware was used in February to target an undisclosed Saudi regional bank and its customers. The attack began with a phishing email posing as a SWIFT funds transfer notification. Once a bank employee clicked on an attached PDF file, JSOutProx was able to enter the bank’s customer files through a JavaScript backdoor.
The malicious program then collected customer account information and credentials and targeted customers with similar phishing emails, this time using fake Moneygram transfer notices. Once hooked, the customer’s bank accounts could be drained.
The newest version of the malware is very flexible and adapts itself to the victim’s circumstances. “Depending on the victim’s environment, it goes right in and then actually bleeds them or poisons the environment, depending on what plug-ins are enabled,” reported Gene Yoo, the CEO of Resecurity.
JSOutProx is well known in the financial industry of the Asia-Pacific region and is constantly evolving. The malware has been used to attack the customers of financial institutions in Taiwan, the Philippines, Singapore, India, and more recently, the Middle East, often changing tactics in each country.
“The JSOutProx malware poses a serious threat to financial institutions around the world, and especially those in the [Asia-Pacific] region as those entities have been more frequently targeted with this malware,” Visa said in its biannual threats report.
The JSOutProx remote access Trojan (RAT) “can run shell commands, download, upload, and execute files, manipulate the file system, establish persistence, take screenshots, and manipulate keyboard and mouse events,” Visa stated in its report. “These unique features allow the malware to evade detection by security systems and obtain a variety of sensitive payment and financial information from targeted financial institutions” and their customers.