{"id":90508,"date":"2021-10-21T18:08:32","date_gmt":"2021-10-21T12:38:32","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=90508"},"modified":"2023-09-11T12:47:03","modified_gmt":"2023-09-11T07:17:03","slug":"multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/multi-staged-jsoutprox-rat-targets-indian-cooperative-banks-and-finance-companies\/","title":{"rendered":"Multi-Staged JSOutProx RAT Targets Indian Co-operative Banks and Finance Companies"},"content":{"rendered":"\r\n

 <\/p>\r\n

Quick Heal Security Labs has been monitoring various attack campaigns using JSOutProx RAT against different SMBs in the BFSI sector since January 2021. We have found multiple payloads being dropped at different stages of its operations. Although the RAT campaigns have also been previously reported on other countries, those targeting Indian companies are operated through separate C2 domains. Let\u2019s dig deeper into the working of this targeted attack.<\/p>\r\n

JSOutProx is a modular JScript-based RAT delivered to the user as a .hta file and first executed by the mshta.exe process. The initial attack vector is a spear-phishing email with a compressed attachment having a \u201c.hta\u201d file with a file name related to a financial transaction. The attachments have a double-extension-like format, for example “_pdf.zip”, “_xlsx.7z”, \u201c_xls.zip\u201d, “_docx.zip”, \u201c_eml.zip\u201d, \u201c_jpeg.zip\u201d, \u201c_txt.zip\u201d etc.<\/p>\r\n

 <\/p>\r\n

Stages<\/h3>\r\n

The RAT is delivered in 2 stages. In the first stage, a minimal version is provided with some functionalities stripped. In the second stage, a bigger version of the sample is delivered, which, apart from the existing functionalities of the first stage rat, has support for additional functions and plugins as well.<\/p>\r\n

Initial Infection Vector<\/h3>\r\n

Spear Phishing emails<\/a> are sent to targeted individuals who are employees of small finance banks from India. We believe the threat actor adds more targets to his list by stealing the email contacts of its victims. We have observed multiple campaigns from Jan 2021 to June 2021 where emails were sent to hundreds of targets in a single day. Sometimes, various emails with different attachment names are sent to a single target to increase the chances of the user downloading and opening the attachment file.<\/p>\r\n

Obfuscation<\/h3>\r\n

The RAT was first observed two years ago, in 2019. Since then, the RAT has upgraded with new commands, more functionality, and increased obfuscation. The recent JScript files consist of more than one MB of obfuscated code, a vast array of base64-like strings, malware’s configuration data, and an rc4 string decryption function. The obfuscation pattern remains the same as the older samples and is the same for both stages of RAT samples.<\/p>\r\n

RAT Configuration Data<\/h3>\r\n

Once the configuration data is decrypted, we get a glimpse of the malware\u2019s capabilities. The \u201cBaseUrl\u201d field points to the C2 domain and port number it communicates using the HTTP protocol. \u201cPassword\u201d field is used while downloading plugins and assemblies from C2. \u201dTag\u201d field contains campaign ID. The first samples, which were reported two years back, had the tag name \u201cJSOutProx,\u201d and hence it was named as such. Below is a list of initial fields present in the decrypted configuration data of one RAT sample.<\/p>\r\n

\"\"
Fig 1: RAT configuration fields<\/figcaption><\/figure>\r\n

Few new fields like \u201cViewOnly\u201d were seen in the recent samples, which allows the controller to monitor the victim to gather victim info and not write or execute anything on the machine. This ensures the malware is not creating any noisy events until the attacker decides to initiate the attack. Most of the initial fields are common in both stages.<\/p>\r\n

First Stage RAT<\/h3>\r\n

The first stage RAT is a .hta file and executed by the mshta.exe process. It can create entries in registry and startup, create or terminate a process, perform file operations, download plugins, etc. It can also generate some mouse and keyboard operations using PowerShell scripts in the target machine through \u201cScreenPShell\u201d commands, as mentioned in the below screenshot.<\/p>\r\n

\"\"
Fig 2: Few RAT functions for screen operations and shellcode execution<\/figcaption><\/figure>\r\n

Following are the essential plugins supported and their functionalities:<\/p>\r\n

    \r\n
  • InfoPlugin -><\/strong> Collects and sends victim machine info to C2.<\/li>\r\n
  • File plugin -> <\/strong>Perform all file system operations.<\/li>\r\n
  • ProcessPlugin -><\/strong> Collects process information, creates or terminates a process.<\/li>\r\n
  • ScreenPShellPlugin -><\/strong> Perform mouse and keyboard operations using PowerShell scripts.<\/li>\r\n
  • ShellPlugin -><\/strong> In this, the “ShellExecute” option uses the ShellExecute method present in the object of Shell. Application. If the user has admin privileges, do call to ShellExecute method. If the command fails, then it tries to disable AntiSPyware of Windows Defender from Registry. If the user is non-Admin, it tries ShellExecute with elevated permissions using the ‘runas’ flag. The “get output” option uses the Run method present in the object of WScript.Shell. It saves the output in a local file. It also fetches the keyboard language\/codepage of the user to format the output correctly.<\/li>\r\n<\/ul>\r\n

     <\/p>\r\n

    Once the malware is executed, it communicates with C2, which first responds with a PowerShell script to capture the screenshot and save it in the temp directory. There are previous reports of the same PowerShell script being used in attacks against banks in the UK. Following is the PowerShell script:<\/p>\r\n

    \"\"
    Fig 3: PowerShell Script fetched from C2<\/figcaption><\/figure>\r\n

     <\/p>\r\n

    Second Stage RAT<\/h3>\r\n

    The second stage RAT is dropped as a \u201c.js\u201d file in a startup or as a \u201c.tmp\u201d file in the %temp% folder and is executed using wscript.exe. It also has a different C2 than the first stage sample. The size of these samples is around three MB and has additional plugins support. The inclusion of DotUtil functions enables it to download and execute .NET assemblies in memory. Following are some of the DotUtil functions:<\/p>\r\n

    \"\"
    Fig 4: DotUtil functions to perform various .NET based tasks<\/figcaption><\/figure>\r\n

     <\/p>\r\n

    Following are the additional plugins supported in the second stage:<\/p>\r\n

      \r\n
    • ActivityPlugin<\/strong> -> Enables the RAT to be in an Online or Offline state. When the state is online, it creates a adodb.stream object to save downloaded\/collected data on disk.<\/li>\r\n
    • CensorMiniPlugin<\/strong> -> Enables\/disables proxy settings on user machine by modifying registry key “Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ProxyEnable”<\/li>\r\n
    • AdminConsolePlugin<\/strong><\/li>\r\n
    • CensorPlugin<\/strong><\/li>\r\n
    • ClipboardPlugin<\/strong> -> It is used to copy the clipboard data and send it to C2. It can also modify clipboard data.<\/li>\r\n
    • DnsPlugin<\/strong> -> Used to set DNS path. Add or modify new path in C:\\Windows\\System32\\drivers\\etc\\hosts.<\/li>\r\n
    • LibraryPlugin<\/strong> -> Sends list of dotnet versions installed on the machine to C2.<\/li>\r\n
    • OutlookPlugin<\/strong> -> It accesses the outlook account details and contacts list.<\/li>\r\n
    • PriviledgePlugin<\/strong> -> In this, the option \u201cUAC\u201d allows to write in registry location \u201cSOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\\u201d by setting value 0 for keys EnableLUA and ConsentPromptBehaviorAdmin. The option \u201celevateScript\u201d executes the script using wscript.exe with the batch mode option. The option \u201celevateCommand\u201d executes the command using Wsh with \u2018runas\u2019 flag. It also has options for using UAC bypass techniques like fodhelper.exe, Slui File Handler Hijacking, CompMgmtLauncher, EventViewer.exe etc.<\/li>\r\n
    • PromptPlugin<\/strong><\/li>\r\n
    • ProxyPlugin<\/strong> -> Sets DNS path. Add or modify new path in C:\\Windows\\System32\\drivers\\etc\\hosts.<\/li>\r\n
    • ShortcutPlugin<\/strong> -> Create a shortcut file for a given executable. Execute the shortcut file. Get the target of a shortcut file or dump the content of the file.<\/li>\r\n
    • RecoveryPlugin<\/strong><\/li>\r\n
    • TokensPlugin<\/strong> -> Steal OTP received from SymantecVIP application.<\/li>\r\n<\/ul>\r\n

       <\/p>\r\n

      In the second stage, RAT finally drops a C++-based Netwire RAT with again a different C2 address. Last year we published our research about Java-based Adwind RAT (https:\/\/www.seqrite.com\/blog\/java-rat-campaign-targets-co-operative-banks-in-india\/) in which jar file was the main component. It also targeted co-operative banks of India with Covid themed attachment names having a similar double-extension-like format. The various commands, configuration fields, and user-agent strings are identical in JSOutProx and Adwind RATs. We believe the same threat actor might be linked with JSOutProx RAT, where now they look to have changed their tactic to drop similar jar files as end payload, rather than as initial infection vector, to evade detections.<\/p>\r\n

      With multiple stages of payloads dropped by the threat actor, he can execute remote commands through any of the available stages, whichever can be seen as an attempt to evade antivirus detections.<\/p>\r\n

      We tracked the connections to the C2 domains to confirm if the exact fields are used in JSOutProx campaigns in other countries. But it turned out that only Indian IPs had connected to the C2 locations mentioned in the collected samples, confirming our assumption that it\u2019s a targeted attack on Indian BFSI companies only.<\/p>\r\n

      With JavaScript, Jscript, or java-based malware, attackers keep inventing new ways to bypass static detections using different obfuscation techniques. But the behaviour-based detections are a suitable defence mechanism against such attacks. We continue to monitor such threats to protect our customers and mitigate the attacks at different levels. At the same time, people working in the finance sector are advised to stay alert from such attack campaigns as we expect more such attacks in the future as well.<\/p>\r\n

       <\/p>\r\n

      IOCs<\/h2>\r\n

      JSOutProx Stage 1<\/h4>\r\n

      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3c9f664193958e16c9c89423aefcb6c8
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 48adcbbc3ec003101b4a2bb0aa5a7e01
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5D16911FE4BCC7D6A82C79B88E049AF2
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 0B9B2BF97CE805CA5930966FB4DA967A
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5B2B4F989F684E265B03F8334576A20C
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 BEC6094A74E102A8D18630EE0EB053E3
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 988D384C68C95D28E67D6B8EDAF2EBE5
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 5111740D2EB8A8201231CB0E312DB88A<\/p>\r\n

      JSOutProx Stage 2<\/h4>\r\n

      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 06396c2f1ac27f7a453d9461ad1af8a6
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 4876d3cc7b3b5990331a018c0b83ed03<\/p>\r\n

      Netwire<\/h4>\r\n

      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 98fdee365893782b0639878c502fcfef<\/p>\r\n

      C2 Locations:<\/h4>\r\n

      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 marcelbosgath.zapto.org:9790
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ruppamoda.zapto.org:9099
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 apatee40rm.gotdns.ch:9897
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 mathepqo.serveftp.com:9059
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 protogoo.ddnsking.com:9081
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 riyaipopa.ddns.net:9098
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 dirrcharlirastrup.gotdns.ch:8037
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 uloibdrupain.hopto.org:8909
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 gensamogh.myq-see.com:9059
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cccicpatooluma.hopto.org:5090
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 feednet.myftp.biz:6093<\/p>\r\n

      List of Filenames used in email attachments:<\/h4>\r\n

      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CBS_applcation_details_xlsx.hta
      \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0ANNEXURE_III_Exceeding_MDP_xlsx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Nodal_Police_Stations_furnished_MHA_GOI_New_Delhi_xlsx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Letter_dated_28_01_2021_jpg.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 rtgs-credited-wrong_account_pdf__ 4.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Transaction report for_0127012021_docx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Slip_RTGS_IDBI_To_HDFC_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Firewall_cRF_Login_access_details_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Comm_Bank_CLWS_Issues_&_Solutions_PDF.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Inspection_Compliance_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 format-dist-wise-Cd_Ratio-pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 format_signatory_updation_PDO_138_docx__.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Information_regarding_CBS_details_update_xlsx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Late_Return_docx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Integrated_approach_brochure_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 2685-Vishwambharlal_Kanahiyalal_Bhoot_Attachment_Order_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Pmay_infoletter_copy_of_houses-xlsx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Annexure_Telangana_xlsx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Compliances_Inspections_2020-pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Circular-044_Introduction_Penalty_Charges_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 NPCI_Compliance_Form_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Raise_chargeback_POS_txn-Reg_docx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Karnataka_Vikas_Grameena_Bank_xlsx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 NFS_OC_No_354_RRN_format_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Exchange_information_details_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Neft_amount_credited_twice_dtd_09_03_2021_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 KYC_Circular_from_AO__03_March_2021_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 State_wise_ATM_Count_xls.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Payment_confirmation_details_acc_00190_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SR698684494_Transaction_Status_PDF.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SCAN1000000049A_JPEG.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Bridger_Sheet_OCSI_2_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Rewarding_SLBCs_for_APY_Performance_Pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 1_Format_EDU_LOAN_Annex_SLBC_April_March_2021_xlsx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Importance_RBI_advisory_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Transaction_Amount_215000_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Submission_Returns_Ext_time_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 PMJJBY_and_PMSBY_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3162_200727190525_001_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ISSUER_TRANSACTION_DT_17062021_docx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Wrong_creditation_details_202101706_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 MIS_080914_27804790_txt.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ICICBANK_Transaction_06172021_009122021_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 NEFT_FORMAT_docx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ISSUER_TRANSACTION_DT_17062021.XML.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Transaction_0578976746474754656866_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 RTGS_FORM_AUTHORITY_LETTER_PDF.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 CRF_NEFT_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 STATUS_ENQUIRY_M0813100421890_docx.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Double_Neft_transactionS_Part_1_2_3_eml.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 REF_NO_N0092010323095704_PDF.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SCAN_202024110816_122827484_pdf.hta
      \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Annex_pdf.hta<\/p>\r\n","protected":false},"excerpt":{"rendered":"

        Quick Heal Security Labs has been monitoring various attack campaigns using JSOutProx RAT against different SMBs in the BFSI sector since January 2021. We have found multiple payloads being dropped at different stages of its operations. Although the RAT campaigns have also been previously reported on other countries, those targeting Indian companies are operated […]<\/p>\n","protected":false},"author":46,"featured_media":90533,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1739,24],"tags":[1877,1876,1878,534,699,247,19,1123],"class_list":["post-90508","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-malware","tag-attacks","tag-jsoutprox","tag-bank","tag-cybersecurity","tag-india","tag-javascript","tag-news","tag-rat"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90508"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/46"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=90508"}],"version-history":[{"count":15,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90508\/revisions"}],"predecessor-version":[{"id":92077,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/90508\/revisions\/92077"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/90533"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=90508"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=90508"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=90508"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}