Visa is warning its partners, clients and customers about an ongoing phishing attack that aims to deliver a banking Trojan.
The Visa Payment Fraud Disruption (PDF) Unit sent a security alert to card issuers, processors and acquirers, noting that they had observed a new phishing campaign that started in late March this year.
The campaign mainly targets financial institutions in South and Southeast Asia, the Middle East and Africa, and aims to drop a new version of the banking trojan called JsOutProx. “While PFD could not confirm the ultimate goal of the recently identified malware campaign, this eCrime group may have previously targeted financial institutions to conduct fraudulent activities.”
Impersonating legitimate institutions
Unfortunately, we do not know the name of the threat actors behind the campaign, or the number of companies that fell victim. The researchers speculate, based on the sophistication of the attacks, the profile of the victims and their geographic location, that the attackers are most likely based in China, or at least China-affiliated.
We also know that JsOutProx is a remote access trojan that was first spotted in late 2019 and is described as a “very obscure” JavaScript backdoor that allows users to execute shell commands, download additional malware, execute files, take screenshots create, control various peripherals, and establish persistence on the target endpoint. It is apparently hosted in a GitLab repository.
In the phishing emails, the attackers pose as legitimate institutions, showing victims fake SWIFT and MoneyGram payment notifications.
Phishing remains one of the most lucrative ways to deploy malware. It is cheap and easily scalable, and now with the help of generative artificial intelligence, relatively difficult to recognize. IT teams are advised to train their employees to identify a phishing attack, and to install email security software, firewalls and anti-virus programs.
Through BleepingComputer