Adversary Playbook: JavaScript RAT Looking for that Government Cheese

An Adversary Playbook by FortiGuard Labs

Adversary Playbooks provide detailed threat research on specific malicious campaigns or threat actors so organizations may better understand the threats they face and align their defenses accordingly.

Introduction

FortiGuards Labs recently discovered a malicious campaign targeting verticals in the governmental monetary and financial sectors in Asia. This campaign poses as a central bank of an Asian nation to compel a victim to open a compressed attachment containing a malicious HTA file. Once the HTA file is executed, it contains heavily obfuscated JavaScript that ultimately installs and runs a remote access trojan or RAT. What makes this unique from other attacks in this space is that it utilizes JsOutProx.

The attacker has also been careful to ensure that the campaign goes undiscovered. This playbook highlights the observed campaigns, the attack infrastructure, as well as provide new updates about this unique threat.

Background

The world continues to shift towards working from home, with the pandemic accelerating this shift. As a result, hybrid communications between corporate and home environments have seen an uptick, becoming the norm for many organizations. Before the pandemic, it was estimated that 3 percent of the United States workforce was working from home. That number is now forecast to be around 30 percent after 2021.ⁱ

Because of this radical shift, attackers now have a greater attack surface to target than ever before, including remote workers, personal devices, and home networks. Naturally, this includes the use of email, via spearphishing attacks. Scouring our feeds, were able to locate an interesting spearphishing attack and decided to investigate further, eventually leading us to identify a newly updated JsOutProx campaign. 

JsOutProx is a fully functional JavaScript remote access trojan (RAT) first discovered in December of 2019. The tactics, techniques, and procedures (TTPS) of the attackers behind JsOutprox indicate that these are experienced and sophisticated threat actors. Such indicators include the time and effort the attackers have taken to create this RAT, as well as regular updates that have made it more powerful. The actors also use specially-crafted social engineering campaigns that leverage specific technical jargon unique to the verticals being targeted in their spearphishing efforts.

JsOutProx also incorporates heavily obfuscated code and the use of Powershell to further along their endeavours. This playbook highlights updates not noted elsewhere for this relatively new malware family, as well as obeservations from FortiGuard Labs on the reuse of the infrastructure in other historical campaigns.

Not much is known of JsOutProx campaigns as occurrences of this family have been few and far between. First discovered by the YOROI team in December 2019, this malware family again resurfaced in another campaign spotted by the ZScaler team in May 2020. ZScaler observed that JsOutProx was infecting both governmental and financial institutions in India. Based on our findings, this latest run follows the same exact model. 

The names of the files containing malicious content attached to this most recent spearphishing campaign are called:

Pilipina_Anti-Money_Laundering_Council_Resolution_pdf.hta
SHA256 – [c10ea9b5aade9e98b7c87a6926fed6356d903440a17590c519aec7a54e1e5165]

Information_on_Compliance_officer_xlsx.hta
SHA256 - [f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a]

The first file was sent to users in the Philippines  working in the finance sector. It is specific to anti-money laundering and countermeasures. This is consistent with a similar campaign we found that used a forged email claiming to originate from an Asian government that offered training in this specific vertical as well.

Why is this important?

RATs are usually portable executable (PE) files. JavaScript RATs are not common, mostly because JavaScript simply does not offer as much flexibility as a PE file does. However, as JavaScript is used by many websites, it appears to most users as benign, as individuals with basic security knowledge are taught to avoid opening attachments that end in .exe. Also, because JavaScript code can be obfuscated, it easily bypasses antivirus detection, allowing it to filter through undetected.

The attackers in this case are most likely familiar with their targets. You can see this in the findings reported by YOROI (including the capability to intercept the one time password (OTP) token of a well known security vendor), the specially crafted emails from the Indian campaign observed by Zscaler, and from the usage of terms specific to a niche sector (Anti Money Laundering/FINTECH). At the very least, they’ve done their homework. They are not blindly sending emails to random organizations but have taken the time to hone their spearphishing efforts to compel unsuspecting victims into opening the malicious attachment. 

In this playbook, we will present our findings on not only the latest campaigns, but also newly discovered updates made to JsOutProx and its infrastructure. For a list of detailed indicators of compromise, please visit our Playbook Viewer.

Technical Details

In this latest example, the attackers are using an Asian government entity as a lure for their spearphishing tactics. It appears that the attackers are able to bypass spam filters by spoofing the email headers. A cursory analysis of the domains indicate that they originated from a well-known webhosting company with a large subnet. Investigating the headers, we see the attackers are utilizing the SMTP service of the webhosting company.

In keeping with their previous government and financial themes, this email was allegedly sent from the central bank of a country in Asia. The appeal of the email’s request for information relies on the fact that with more people coming back to work, it is not unheard of to want more information about prospective employees and employee training. At the very least, the email appears to have been custom-tailored to increase the effectiveness of this attack—not just in a technical sense, but also with the verbiage used in the spearphishing email. It contains terms, such as AML/CFT, which is the abbreviation for Anti Money Laundering/Countering Financial Terrorismⁱⁱ that would be familiar to receipients.

The attached archive contains the following Microsoft .HTA file:

Information_on_Compliance_officer_xlsx.hta
SHA256 - [f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a]

Once run, it communicates with the following command and control server using dynamic DNS (DDNS):

hxxp://myabiggeojs.myftp[.]biz:9895
185.195.79[.]210

It then launches the malicious JsOutProx JavaScript, which is a fully developed and functional remote access trojan (RAT). 

Variations on a Theme

This next section provides an analysis of the changes to JsOutProx that we have observed in this latest version versus the December and May variants. JsOutProx’s encoding and encryption routines largely remain similar to past variants.

The attackers went to great lengths to make sure that their tradecraft would not be easily understood. For example, we observed that the sample has over 5000 lines of obfuscated code. Because of this, FortiGuard Labs had to develop a custom tool to de-obfuscate the JavaScript to help us analyze the file, which saved us a great amount of time.

For example, when we ran our tool against the following sample

Information_on_Compliance_officer_xlsx.hta
SHA256 - [f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a]

it took over five hours to de-obfuscate and provide us with human readable strings for later analysis.

Standard JavaScript engines and emulators may not necessarily be able to display the relevant strings. A decryptor must be used to figure out what this threat does. Depending on resources, it may take several hours to decrypt the script. In the end, however, it becomes more readable.

One of the first things we noticed is that this RAT can be executed both as a JavaScript file on the command line, or as a .HTA file inside a window (in this case, inside mshta.exe). If it is inside a window, the threat tries to hide the window by resizing it to a height of zero pixels and a width of 0 pixels. Moreover, it gets moved to outside of the user’s viewable desktop for further evasion. 

New Additions to JsOutProx

Looking at the capabilities of this RAT, we see that it supports several commands. Newer commands have been highlighted in GREEN and commands that have been deprecated are highlighted in RED.

This new version accepts a new command called ‘rmz’ that modifies the zone identifier contained in the alternate data stream of downloaded files.

The malware may have had issues in the past with executing downloaded files. This newly added functionality helps fix that problem by attempting to move the downloaded files across different security zones.

JsOutProx can also use plugins. This allows the threat to be more modular and easier to update and maintain. Once again, new plugin commands are in GREEN while the deprecated plugin commands are in RED.

Looking at the two previous tables, several commands and plugins have been removed. While this may initially indicate that the malware is less powerful, the addition of the PowerShell plugin actually makes the malware more extensible, requires less overhead to maintain, and enables it to remain under the radar – aka “living off the land.” The following screenshot displays some of the capabilities of this new plugin:

Its ’capture’ function can take a screenshot of the user’s desktop in order to monitor what the user is seeing. The plugin also allows the attacker to operate the infected machine using a virtual keyboard and mouse. Previously, attackers could execute shell commands and file manager functionality such as copy and execute. With this new plugin however, the attacker is virtually sitting in front of the infected machine. Interestingly enough, the screenshell plugin also lumps in the option to execute either .HTA files or java (.jar) files, as seen in the screenshot below.

Connecting the Dots - JsOutProx Infrastructure – Same IP addresses, Different DDNS Domains

Example #1

The following sample

Pilipina_Anti-Money_Laundering_Council_Resolution_pdf.hta
[SHA256- c10ea9b5aade9e98b7c87a6926fed6356d903440a17590c519aec7a54e1e5165]  

was calling back to a C2 server at: hxxp://afghphae.gotdns[.]ch:9060 (185.19.85[.]156). Historical DNS queries for this IP address yield two additional DDNS C2 servers that resolve to the same IP address at:

hxxp://dirhaeednotrtup.hopto[.]org:9097
hxxp://martinluther[.]tk
hxxp://bushaka009.duckdns[.]org

Further investigation into this domain [dirhaeednotrtup.hopto[.]org:9097] yielded no results. The domain martinluther[.]tk doesn’t have a historical DNS entry, nor is any of the malware being run associated with it that we can see. 

[On a side note of interest, the Dot TK domain extension can be registered free of charge, making it a favorite of phishers and attackers alike. Please reference our blog from 2019 that highlights our findings on the abuse of these free services.]

However, as we dug deeper into our passive DNS records for the third DDNS domain [bushaka009.duckdns[.]org], we discovered a completely different campaign altogether, one that was leveraging multiple samples utilizing shipment schemes and leveraging the likeness of an international shipping company. Campaigns began originating from this DDNS domain as early as June 2020, with the last one seen in August. In the June campaigns, we saw that the attackers used the same infrastructure to distribute the Netwire RAT:

Document Second Page.exe
SHA256 [F17B89058372618DB540C2A8D16A13F59F21C88E21B651D196556207AB54E10C

In July, the following sample

Dhl Shipment Receipt.exe
SHA256 [43192b0a36d887844309b79dafa88bb2493539093d17bf7296e4bda2fe72dc49]

communicated with 185.19.85[.]156 under the same bushaka009.duckdns[.]org using the Formbook malware.

An expansion of this domain led us to this:

Our findings revealed 34 recent samples, from July to August of this year, which indicates that this is a recent campaign. Our analysis revealed a variety of malware families being used, such as Netwire, Remcos, Formbook, and other backdoors—all pointing to the same domain but resolving to different IP addresses at the same time.

Activity of [185.19.85[.]156] spans more than five years

Because of the multitude of samples and dynamic DNS domains tied to this one specific IP address [185.19.85[.]156], and to further satisfy our curiousity, we decided to investigate. As threat researchers, it is not unusual to research an attacker infrastructure to deduce any possible correlation to previous attacks. This can be a time consuming and exhausting process, because there are a lot of data points to pivot off of. Sometimes we come to a dead end as well. However, we sometimes find items of interest that help “paint a picture” that identify previous campaigns likely conducted by the same threat actor. Ultimately, this helps provide historical insight into the attackers’ TTPs, or identify a webhosting company allowing this activity to occur for years on end, thereby  enabling multiple attackers without any repercussion. 

Despite being a recently discovered campaign, our further research in this case revealed that the infrastructure used by the attacker, [185.19.85[.]156], has been in operation for over five years (as noted in this Dynamoo Blog.) We don’t know if this is the same group or if it is simply a bulletproof host catering to threat actors. The usage of RATs, the same DDNS services, and the same IP address 185.19.85[.]156 may be merely coincidental, but it raises some suspicion. 

Regardless of whether there is an actual connection, one assumption can be made: Based on the specific language contained in the spearphishing attacks, the infrastructure used, and the techniques seen in the evolving malware, this JsOutProx campaign is not your run-of-the-mill cybercrime operation. It is highly sophisticated, and notably, one that has significant resources available.

Example #2

Findings for this DDNS Domain were limited to the HTA files of JSOutProx and nothing else. We discovered during passive DNS analysis from our own Central Threat System (CTS) that the [185.195.79[.]210] IP address is shared between the two DDNS domains shown in the table below. 

Associated Files:

SHA256: [f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a]
SHA256: [8609210993F4EBC6AA5332B0E5EBE67720B8721E27FCEE79FC82A1C40B587A44]

Further analysis identified another JSOutProx campaign that followedthe same financial naming convention from August:

EASTERN-EX_Coverfund_Position-2020_xls.7z

SHA256: [8609210993F4EBC6AA5332B0E5EBE67720B8721E27FCEE79FC82A1C40B587A44]

Other than this, no other historical campaigns nor historical data could be found for either the domain or IP address used in this attack. It could be surmised that the attacker may be switching back and forth between hosts and DDNS aliases to thwart further analysis. Regarding the 151.106.60[.]163 IP address, only myabiggeojs.myftp[.]biz:9895 URLs were associated.

Example #3

No other historical campaigns nor historical data could be found for either the domain or IP address used in this attack. It could be surmised that the attacker may switch back and forth between hosts and DDNS aliases to thwart analysis.

Associated File:

SHA256 [03a80ceb3959f26b193175fc005bf418c4dc47b1e8d725e63a17a1418774b4b9]

Indicators of Compromise

f1027d6f01718030a66872a82134418984c2de82e1aff32cb7cc106bf8d3375a

C2:hxxp://myabiggeojs.myftp[.]biz:9895/

Detected as: JS/Agent.VAC!tr    

03a80ceb3959f26b193175fc005bf418c4dc47b1e8d725e63a17a1418774b4b9

C2: hxxp://posssdhm.ddns[.]net:9060/

Detected as: JS/Agent.VAC!tr.dldr

c10ea9b5aade9e98b7c87a6926fed6356d903440a17590c519aec7a54e1e5165

C2: hxxp://afghphae.gotdns[.]ch:9060/

Detected as: JS/Agent.VAC!tr    

8609210993F4EBC6AA5332B0E5EBE67720B8721E27FCEE79FC82A1C40B587A44

C2: hxxp://panarmjsdrew.gotdns[.]ch

Detected as: JS/Agent.VAC!tr

MITRE ATT&CK

Initial Access

• T1566.001: Spearphishing attachment

Execution

• T1059.001: Powershell
• T1059.003: Windows command Shell
• T1059.005: Visual Basic
• T1059.007: JavaScript

Persistence

• T1547.001: Registry Run Keys / Startup Folder
• T1564.003: Hidden Window

Defense Evasion

• T1202: Indirect Command Execution
• T1027: Obfuscated Files or Information

Discovery

• T1082: System Information Discovery

Collection

• T1113: Screen Capture

Command and Control

• T1571: Non-Standard Port

Impact

• T1529: System Shutdown/Reboot

Additional JSOutProx files

Other Associated Files and Campaigns Related to Threat Actor (Netwire, Tesla, etc.) 185.19.85[.]156

Learn more about FortiGuard Labs threat research and the FortiGuard Security Subscriptions and Services portfolio. Sign up for the weekly Threat Brief from FortiGuard Labs. 

Learn more about Fortinet’s free cybersecurity training initiative or about the Fortinet Network Security Expert program, Network Security Academy program, and FortiVet program.

ⁱWork-At-Home After Covid-19—Our Forecast 

https://globalworkplaceanalytics.com/work-at-home-after-covid-19-our-forecast

ⁱⁱFinTech AML Compliance Training 

https://baselgovernance.org/fintech-aml-compliance-training

This Adversary Playbook from FortiGuard Labs on the threat malware family known as “JsOutProx” was created for our customers, as well as part of our role in the Cyber Threat Alliance. For more information regarding this series of adversary playbooks being created by CTA members, please visit the Cyber Threat Alliance Playbook Whitepaper. Also view the FortiGuard Playbook Viewer detailing this campaign as mapped to MITRE’s Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK) model.