Visa warns dangerous new malware is attacking financial firms

The campaign targets mostly financial institutions in South and Southeast Asia, the Middle East, and Africa, and aims to drop a new version of the banking trojan called JsOutProx. "While PFD could not confirm the ultimate goal of the recently identified malware campaign, this eCrime group may have previously targeted financial institutions to conduct fraudulent activity."

Impersonating legitimate institutions

Unfortunately, we don’t know the name of the threat actor behind the campaign, or the number of companies that fell victim. The researchers speculate, based on the sophistication of the attacks, the profile of the victims, and their geographical location, that the attackers are most likely China-based, or at least China-affiliated.

We also know is that JsOutProx is a remote access trojan that was first spotted in late 2019, and is described as a “highly obfuscated” JavaScript backdoor that allows its users to run shell commands, download additional malware, run files, grab screenshots, control various peripherals, and establish persistence on the target endpoint. It’s hosted on a GitLab repository, apparently.

In the phishing emails, the attackers are impersonating legitimate institutions, showing victims fake SWIFT and MoneyGram payment notifications.

Phishing remains one of the most lucrative ways to deploy malware. It’s cheap and easily scalable, and now with the help of generative artificial intelligence, relatively difficult to spot. IT teams are advised to educate their employees to identify a phishing attack, as well as to install email security software, firewalls, and antivirus tools.

Via BleepingComputer

More from TechRadar Pro

• The US government is now investigating the Change Healthcare cyberattack
• Here's a list of the best firewalls around today
• These are the best endpoint security tools right now