CyberSecurity news
FlagThis
@www.microsoft.com
//
Microsoft is warning of a rise in cyberattacks where threat actors are misusing Node.js to deliver malware and steal sensitive information. These campaigns, ongoing since October 2024, involve tricking users into downloading malicious installers from fraudulent websites disguised as legitimate software, often related to cryptocurrency platforms like Binance and TradingView. The attackers utilize malvertising campaigns to lure unsuspecting victims. Once the malicious installer is downloaded, a chain of events is triggered, leading to information theft and data exfiltration from compromised systems.
The attack chain involves multiple stages, beginning with a malicious DLL embedded within the downloaded installer. This DLL gathers system information and establishes persistence via a scheduled task. To maintain the illusion of legitimacy, a decoy browser window is opened, displaying a real cryptocurrency trading website. The scheduled task then executes PowerShell commands designed to evade detection by Microsoft Defender. These commands exclude both the PowerShell process and the current directory from being scanned. Subsequently, obfuscated scripts are launched to collect extensive system, BIOS, and OS information, which is then structured and exfiltrated in JSON format via HTTP POST.
The final stage involves downloading and launching the Node.js runtime, along with a compiled JavaScript file and supporting library modules. Once executed, the malware establishes network connections, installs certificates, and exfiltrates browser credentials and other sensitive data. Microsoft has observed threat actors leveraging Node.js characteristics, such as cross-platform compatibility and access to system resources, to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments. This shift in tactics highlights the evolving threat landscape, where Node.js is increasingly being exploited for malicious purposes.
ImgSrc: www.microsoft.c
References :
The attack chain involves multiple stages, beginning with a malicious DLL embedded within the downloaded installer. This DLL gathers system information and establishes persistence via a scheduled task. To maintain the illusion of legitimacy, a decoy browser window is opened, displaying a real cryptocurrency trading website. The scheduled task then executes PowerShell commands designed to evade detection by Microsoft Defender. These commands exclude both the PowerShell process and the current directory from being scanned. Subsequently, obfuscated scripts are launched to collect extensive system, BIOS, and OS information, which is then structured and exfiltrated in JSON format via HTTP POST.
The final stage involves downloading and launching the Node.js runtime, along with a compiled JavaScript file and supporting library modules. Once executed, the malware establishes network connections, installs certificates, and exfiltrates browser credentials and other sensitive data. Microsoft has observed threat actors leveraging Node.js characteristics, such as cross-platform compatibility and access to system resources, to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments. This shift in tactics highlights the evolving threat landscape, where Node.js is increasingly being exploited for malicious purposes.
ImgSrc: www.microsoft.c
Share:
References :
- securityonline.info: SecurityOnline: Node.js Misused in Malvertising Campaigns to Deliver Stealthy Malware
- Microsoft Security Blog: Threat actors misuse Node.js to deliver malware and other malicious payloads
- cyberinsider.com: Microsoft: Node.js Increasingly Used for Malware Delivery and Data Theft
- securityonline.info: Security online discusses Malware spread via Node.js exploitation on the rise.
- The Hacker News: Node.js Malware Campaign Targets Crypto Users with Fake Binance and TradingView Installers
- www.microsoft.com: Threat actors misuse Node.js to deliver malware and other malicious payloads
- securityaffairs.com: Node.js malvertising campaign targets crypto users
- Know Your Adversary: Microsoft presented a on how adversaries misuse Node.js to deliver malware.
- www.scworld.com: Malware spread via Node.js exploitation on the rise
- www.microsoft.com: Microsoft warns of a malvertising campaign using Node.js to deliver malware and The post appeared first on .
- securityaffairs.com: Node.js malvertising campaign targets crypto users
Classification:
- HashTags: #NodejsMalware #Malvertising #DataTheft
- Company: Microsoft
- Target: Crypto Users
- Product: Node.js
- Feature: malware delivery
- Type: Malware
- Severity: Major