Microsoft is bringing attention to the ongoing Malvertising campaign that uses node.js to provide malicious payloads that allow information theft and data removal.
First detected in October 2024, this activity uses lures associated with cryptocurrency trading to trick users into installing rogue installers from rogue websites disguised as legitimate software such as Binance and TradingView.
The downloaded installer has an embedded dynamic link library (“Customactions.dll”) that uses Windows Management Instrumentation (WMI) to harvest basic system information and sets host persistence through scheduled tasks.
To maintain Ruse, the DLL launches a browser window via “msedge_proxy.exe” which displays legitimate cryptocurrency trading websites. It is worth noting that “mseded_proxy.exe” can be used to display it as a website as a web application.
On the other hand, scheduled tasks are configured to run PowerShell commands to download from the remote server’s additional script. This excludes running PowerShell processes and prevents Microsoft Defender for Endpoint from being scanned as a method of Sidestep detection.
Once exclusions are set, obfuscated PowerShell commands are executed to retrieve and run scripts from remote URLs that can collect extensive information related to the operational system, BIOS, hardware, and installed applications.
All captured data is converted to JSON format and sent to the Command and Control (C2) server using HTTPS POST requests.
The attack chain proceeds to the next phase, where another PowerShell script is launched and downloads the archive file from C2 containing the node.js runtime binaries and JavaScript compiled (JSC) files. Running a node.js executable kickstart JSC file establishes a network connection and perhaps establishes siphon sensitive browser information.
The alternative infection sequence observed by Microsoft employs the ClickFix strategy, which uses Inlious PowerShell commands to download node.js binaries and uses them to run JavaScript code directly, rather than from a file.
Inline JavaScript performs network discovery activities to identify high value assets, disguise C2 traffic as legitimate cloudflare activity flying under the radar, and gains persistence by changing the execution key in the Windows registry.
“Node.js is an open source, cross-platform JavaScript runtime environment that allows JavaScript code to run outside of a web browser,” says Tech Giant. “Developers can build front-end and back-end applications, which is widely used and trusted by developers.”
“However, threat actors are trying to leverage these node.js characteristics to bypass malware and legal applications, traditional security controls and persist in the target environment.”
Disclosure is made when it is revealed that CloudSek is a fake PDF to DOCX converter site impersonating PDF candy (CandyXPDF)[.]com or candyconverterpdf[.]com) It is known to leverage the tricks of Clickfix social engineering and ultimately cax the victim to run an encoded PowerShell command that deploys Sectoprat (aka Arechclient2) malware.
“Threat actors have registered similar domain names to finely replicate the user interface of the real platform and to deceive users,” security researcher Varun Ajmera said in a report published this week.
“Attack Vector runs a PowerShell command that installs ArechClient2 Malware, a variant of the dangerous sector information steeler family known to plague victims and harvest sensitive data from compromised systems.”
Phishing campaigns use PHP-based kits to target employees of HR-themed companies to gain unauthorized access to payroll portals, change victim bank account information, and redirect funds to accounts under threat actor control.
Some of these activities stem from hacking groups called payroll pirates, where attackers use sponsored phishing websites to exploit malicious search ad campaigns and use HR pages spawed via Google to seduce unsuspecting victims and provide qualifications and two-factor authentication (2FA) codes.
Source link
