Cybersecurity experts have identified a new corrupted script that is being spread in the wild disguised as a document. Often, these fake documents tend to use a valid file extension like '.RTF' or '.DOCX' but the implant in question arrives as a '.JS' file. This file contains a piece of JavaScript code that consists of over 10,000 lines, and all of them appear to be meaningless – this is because their authors have used multi-layer obfuscation, which makes it very difficult and time-consuming to reverse-engineer the obfuscation and reveals the real contents of the unsafe implant.

Analysis of the compromised JavaScript code revealed some interesting details about it, such as the fact that it is programmed to communicate with a control server situated in Oslo, Norway. Furthermore, the authors of the implant (called JsOutProx) have paid extra attention to implementing anti-analysis and code obfuscation techniques that make it very difficult to decipher and analyze the corrupted script's behavior.

A Compromised JavaScript Implant Supports a Wide Array of Commands and Plugins

Nevertheless, their efforts were not enough to stop malware researchers, and cybersecurity experts have been able to observe the full scope of JsOutProx's abilities. Once initialized, JsOutProx will drop its files to the %APPDATA% and %TEMP% folders, and then create a new Registry key that commands the system to start these files whenever it boots up. After it is started, JsOutProx can be operated via remote commands sent from the control server. In its current form, the implant is able to complete the following tasks:

  • Restart or update itself.
  • Terminate itself and delete its files.
  • Control the infected machine to restart or turn off.
  • Execute a JavaScript code.
  • Execute a Visual Basic code.
  • Sleep for a specified time.
  • Load a '.NET' dynamic link library.

In addition to supporting these basic commands, the functionality of JsOutProx can be enhanced with the installation of custom-developed plugins:

  • Process Plugin – Enables the operator to kill processes or run new ones.
  • DNS Plugin – Can modify the infected machine's DNS configuration.
  • Token Plugin – It is used to collect the 'Symantec VIP One Time Password' that is often used to multifactor authentication by businesses.
  • Outlook Plugin – Collects account details, contacts and emails.
  • Prompt Plugin – Displays a custom message on the compromised device.

JsOutProx appears to be the product of experienced malware developers, and it is possible that an Advanced Persistent Threat (APT) group may be behind its development. However, no notable name has been linked to this operation yet. The latest versions of anti-virus engines should be able to detect and remove the JsOutProx implant with ease.


Most Viewed