Solar Spider Expands Malware Attacks to Saudi Arabia

Todd Faulk
Todd Faulk Senior Editor
Published on: April 9, 2024
Todd Faulk Todd Faulk
Published on: April 9, 2024 Senior Editor

The China-linked Solar Spider cybercriminal group recently rolled out malware targeting Saudi financial institutions, expanding from its traditional operating areas in Southeast Asia and India. Resecurity, a cybersecurity firm familiar with Solar Spider’s tactics, reported the new cyberattack campaign in early April.

Resecurity discovered that a new version of Solar Spider’s infamous JSOutProx malware was used in February to target an undisclosed Saudi regional bank and its customers. The attack began with a phishing email posing as a SWIFT funds transfer notification. Once a bank employee clicked on an attached PDF file, JSOutProx was able to enter the bank’s customer files through a JavaScript backdoor.

The malicious program then collected customer account information and credentials and targeted customers with similar phishing emails, this time using fake Moneygram transfer notices. Once hooked, the customer’s bank accounts could be drained.

The newest version of the malware is very flexible and adapts itself to the victim’s circumstances. “Depending on the victim’s environment, it goes right in and then actually bleeds them or poisons the environment, depending on what plug-ins are enabled,” reported Gene Yoo, the CEO of Resecurity.

JSOutProx is well known in the financial industry of the Asia-Pacific region and is constantly evolving. The malware has been used to attack the customers of financial institutions in Taiwan, the Philippines, Singapore, India, and more recently, the Middle East, often changing tactics in each country.

“The JSOutProx malware poses a serious threat to financial institutions around the world, and especially those in the [Asia-Pacific] region as those entities have been more frequently targeted with this malware,” Visa said in its biannual threats report.

The JSOutProx remote access Trojan (RAT) “can run shell commands, download, upload, and execute files, manipulate the file system, establish persistence, take screenshots, and manipulate keyboard and mouse events,” Visa stated in its report. “These unique features allow the malware to evade detection by security systems and obtain a variety of sensitive payment and financial information from targeted financial institutions” and their customers.

About the Author
Todd Faulk
Todd Faulk
Senior Editor
Published on: April 9, 2024

About the Author

Todd Faulk is a Senior Editor at SafetyDetectives. He has more than 20 years of professional experience editing intelligence reports, course plans, and online articles. He's a freelancer who has produced work for a wide variety of clients, including the US Government, financial institutions, and travel and technology websites. Todd is a constant traveler, writer of his own travel blog, and avid reader of new developments in science and technology.