CyberSecurity news

FlagThis - #backdoor

Veronika Telychko@SOC Prime Blog //

Mocha Manakin Uses NodeJS Backdoor via Paste-and-Run

Mocha Manakin, a threat actor named by Red Canary, is employing a sophisticated "paste-and-run" technique to compromise systems. This method involves tricking users into executing malicious scripts via PowerShell, leading to the deployment of a custom NodeJS backdoor known as NodeInitRAT. Red Canary's report highlights that this backdoor could potentially lead to ransomware attacks. SocPrime has also released information regarding the detection of Mocha Manakin attacks, emphasizing the backdoor's capabilities.

Red Canary notes the adversary leverages ClickFix technique to deliver NodeJS-based backdoor named NodeInitRAT. Hunting for suspicious events related to PowerShell spawning node.exe can be an effective detection method. Security analysts can monitor process creation events where powershell.exe is the parent process and node.exe is the child process to identify potentially malicious activity associated with the NodeInitRAT backdoor.

Soc Prime offers Sigma rules to detect Mocha Manakin paste-and-run attacks spreading the NodeInitRAT backdoor. It's crucial to detect this threat as early as possible, as researchers note overlaps with Interlock ransomware. These rules can aid in identifying suspicious behavior and mitigating the risk of further compromise, including data exfiltration and ransomware deployment.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • redcanary.com: Red Canary's report on Mocha Manakin details the use of NodeInitRAT and provides detection strategies.
  • SOC Prime Blog: SocPrime provides information on detecting Mocha Manakin attacks, focusing on the backdoor's capabilities and associated ransomware.
  • redcanary.com: Named by Red Canary, Mocha Manakin uses paste and run with PowerShell to drop a custom NodeJS backdoor that could lead to ransomware
  • socprime.com: Mocha Manakin Attack Detection: Hackers Spread a Custom NodeJS Backdoor Dubbed NodeInitRAT Using the Paste-and-Run Technique
  • cyberpress.org: Mocha Manakin Exploits Paste-and-Run Method to Deceive Users into Downloading Malware
  • hackread.com: New Mocha Manakin Malware Deploys NodeInitRAT via Clickfix Attack
  • Virus Bulletin: Red Canary researchers analyse a Mocha Manakin activity cluster that delivers NodeJS backdoor via Clickfix/fakeCAPTCHA.
Classification:
  • HashTags: #NodeJS #Backdoor #Ransomware
  • Target: Various Organizations
  • Attacker: Mocha Manakin
  • Feature: Paste-and-Run
  • Malware: NodeInitRAT
  • Type: Malware
  • Severity: Medium

Posts

Blogs

Research Tools