VERY IMPORTANT

Quick Heal Security Labs has been monitoring various attack campaigns using JSOutProx RAT against different SMBs in the BFSI sector since January 2021. Quick Heal Security Labs has found multiple payloads being dropped at different stages of its operations. Although the RAT campaigns have also been previously reported on other countries, those targeting Indian companies are operated through separate C2 domains. JSOutProx is a modular JScript-based RAT delivered to the user as a .hta file and first executed by the mshta.exe process. The initial attack vector is a spear-phishing email with a compressed attachment having a “.hta” file with a file name related to a financial transaction. The attachments have a double-extension-like format, for example “_pdf.zip”, “_xlsx.7z”, “_xls.zip”, “_docx.zip”, “_eml.zip”, “_jpeg.zip”, “_txt.zip” etc.