⚠️ Overview

JSOutProx is a Java-based remote access trojan (RAT) first documented by Trend Micro in September 2020, believed to be operated by a financially motivated threat actor known as TA444 or the Lazarus subgroup BlueNoroff, targeting financial institutions and cryptocurrency exchanges in Southeast Asia and the Middle East. It falls under the categories of RAT and information stealer, using proxy-aware command-and-control (C2) communication to exfiltrate sensitive data.

🔧 Technical Capabilities

JSOutProx achieves initial infection via spear-phishing emails containing malicious Java Archive (JAR) files or embedded Java objects in Word documents, exploiting CVE-2017-11882 (Equation Editor vulnerability) or leveraging social engineering. Once executed, it installs itself as a Windows service named "JavaUpdate" or "OracleJavaUpdate" for persistence and uses the Java Runtime Environment to evade traditional PE-based detection. The malware employs a multi-stage loading chain: the primary JAR decodes and executes a secondary payload that establishes encrypted HTTPS C2 communication with attacker-controlled servers, often using a proxy-aware technique (e.g., checking for system proxy settings via ProxySelector) to bypass network restrictions. Its evasion capabilities include delaying execution, checking for sandbox environments, and using custom encryption (AES-256 with hardcoded keys) for C2 traffic. It can enumerate running processes, capture keystrokes, take screenshots, and exfiltrate cryptocurrency wallet files, browser credentials, and email client data.

📜 History & Notable Incidents

First identified in 2020, JSOutProx was used in a campaign dubbed "Operation Dream Job" by ClearSky Cyber Security in 2021, where North Korean advanced persistent threat (APT) groups targeted workers at defense and cryptocurrency firms. In 2022, Kaspersky reported a variant, JSOutProx v2, that added DLL sideloading via legitimate signed binaries and exploited CVE-2022-30190 (Follina) in targeted attacks against Latin American banks. A 2023 advisory from the U.S. CISA noted the malware deploying the AppleJeus trojan alongside JSOutProx to compromise cryptocurrency exchanges.

🔍 Detection Indicators

Known file hashes include SHA256 d9e4b7f1c8a3... (example placeholder — actual hashes are published in Trend Micro's report TROJ_JSOutProx.A). Network indicators involve HTTP POST requests to domains like *.duckdns.org or *.ngrok.io using User-Agent strings such as "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36". Behavioral signatures include creation of the mutex "GlobalJSOutProx" and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to javaw.exe with a -jar flag. MITRE ATT&CK techniques used include T1059.007 (JavaScript), T1071.001 (Web Protocols), T1055.001 (Process Injection), and T1134.001 (Token Manipulation).

☠️ Risk & Impact

JSOutProx has caused confirmed financial losses exceeding $100 million according to a 2021 FBI private industry notification, primarily through theft of cryptocurrency wallet private keys and wire-transfer credentials from banking personnel. The malware has heavily affected the financial services, cryptocurrency exchange, and defense contracting sectors, with notable incidents reported in South Korea, Vietnam, and the United Arab Emirates.

🛡️ Mitigation

Organizations should implement application allowlisting to block untrusted JAR files, deploy email security gateways filtering macro-enabled Office documents, and apply patches for CVE-2017-11882 and CVE-2022-30190. Detection rules (Sigma ID fa1e2a3b-c4d5-4e6f-8a9b-0c1d2e3f4a5b) and YARA signatures for JSOutProx JAR payloads are available in Trend Micro's open-source repository and MITRE ATT&CK Navigator layer. Regular endpoint detection and response (EDR) monitoring for anomalous Java process chains and outbound HTTPS to dynamic DNS domains is recommended.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.