Visa is warning its partners, clients, and customers, of an ongoing phishing attack that aims to deliver a banking trojan.
The Visa Payment Fraud Disruption (PDF) unit sent out a security alert to card issuers, processors, and acquirers, noting it had observed a new phishing campaign that started in late March this year.
The campaign targets mostly financial institutions in South and Southeast Asia, the Middle East, and Africa, and aims to drop a new version of the banking trojan called JsOutProx. “While PFD could not confirm the ultimate goal of the recently identified malware campaign, this eCrime group may have previously targeted financial institutions to conduct fraudulent activity.”
Impersonating legitimate institutions
Unfortunately, we don’t know the name of the threat actor behind the campaign, or the number of companies that fell victim. The researchers speculate, based on the sophistication of the attacks, the profile of the victims, and their geographical location, that the attackers are most likely China-based, or at least China-affiliated.
We also know is that JsOutProx is a remote access trojan that was first spotted in late 2019, and is described as a “highly obfuscated” JavaScript backdoor that allows its users to run shell commands, download additional malware, run files, grab screenshots, control various peripherals, and establish persistence on the target endpoint. It’s hosted on a GitLab repository, apparently.
In the phishing emails, the attackers are impersonating legitimate institutions, showing victims fake SWIFT and MoneyGram payment notifications.
Phishing remains one of the most lucrative ways to deploy malware. It’s cheap and easily scalable, and now with the help of generative artificial intelligence, relatively difficult to spot. IT teams are advised to educate their employees to identify a phishing attack, as well as to install email security software, firewalls, and antivirus tools.
Via BleepingComputer
+ There are no comments
Add yours