Cybersecurity experts have recently uncovered an active malware campaign named Stealit, which exploits Node.js’ Single Executable Application (SEA) feature to distribute its malicious payloads. This campaign has been analyzed by Fortinet FortiGuard Labs, revealing that certain versions also utilize the open-source Electron framework for malware delivery. The primary distribution method involves counterfeit installers for games and VPN applications, which are disseminated through file-sharing platforms like Mediafire and Discord.
Understanding the SEA Feature
The SEA feature in Node.js allows developers to package applications into standalone executables, enabling them to run on systems without a pre-installed Node.js runtime. This functionality is particularly advantageous for distributing applications seamlessly across various environments. However, malicious actors have recognized and exploited this feature to deploy malware more effectively.
Mechanism of the Stealit Malware
The Stealit malware campaign operates by embedding malicious code within seemingly legitimate installers. Upon execution, these installers perform several actions:
1. Anti-Analysis Checks: Before proceeding, the malware conducts checks to determine if it’s running in a virtual or sandboxed environment, which are commonly used by security researchers for analysis. If such environments are detected, the malware may terminate its operations to avoid detection.
2. Authentication Key Generation: The malware generates a 12-character alphanumeric authentication key, encoded in Base64, and writes it to the `%temp%\cache.json` file. This key serves multiple purposes:
– C2 Server Communication: The key is used to authenticate communications with the command-and-control (C2) server, ensuring that the malware can receive commands and transmit stolen data securely.
– Subscriber Dashboard Access: For threat actors offering Stealit as a service, this key allows subscribers to log into a dashboard to monitor and control infected systems.
3. Microsoft Defender Evasion: To avoid detection, the malware configures exclusions in Microsoft Defender Antivirus, ensuring that the folder containing its components is not scanned or flagged.
Components and Their Functions
The Stealit malware comprises several executables, each with specific roles:
– save_data.exe: Executed only with elevated privileges, this component drops cache.exe, a tool derived from the open-source project ChromElevator. Its primary function is to extract information from Chromium-based browsers, including saved passwords, cookies, and browsing history.
– stats_db.exe: This executable targets data from various applications:
– Messaging Apps: Extracts information from Telegram and WhatsApp, potentially accessing chat histories and contact lists.
– Cryptocurrency Wallets: Harvests data from wallets and browser extensions like Atomic and Exodus, aiming to steal cryptocurrency assets.
– Gaming Platforms: Gathers information from platforms such as Steam, Minecraft, GrowTopia, and Epic Games Launcher, which could be used for account takeovers or resale.
– game_cache.exe: This component ensures the malware’s persistence on the infected system by:
– Startup Execution: Creates a Visual Basic script that launches the malware upon system reboot.
– C2 Communication: Maintains communication with the C2 server to:
– Real-Time Monitoring: Streams the victim’s screen in real-time, allowing attackers to observe user activities.
– Command Execution: Executes arbitrary commands on the infected system, which could include downloading additional malware or exfiltrating data.
– File Operations: Facilitates the download and upload of files between the infected system and the C2 server.
– Desktop Manipulation: Changes the desktop wallpaper, potentially as a form of intimidation or signaling control.
Commercialization of Stealit
The operators behind Stealit have established a dedicated website offering professional data extraction solutions through various subscription plans. These plans include access to a remote access trojan (RAT) with capabilities such as file extraction, webcam control, live screen monitoring, and ransomware deployment. The pricing structure is as follows:
– Windows Stealer:
– Weekly Subscription: $29.99
– Lifetime License: $499.99
– Android RAT:
– Starting Price: $99.99
– Lifetime License: Up to $1,999.99
This commercialization indicates a shift towards Malware-as-a-Service (MaaS), where cybercriminals offer malicious tools to other actors, lowering the barrier to entry for conducting cyber attacks.
Implications and Recommendations
The exploitation of the Node.js SEA feature by Stealit underscores the evolving tactics of cybercriminals who leverage legitimate development tools for malicious purposes. The novelty of this approach may catch security applications and analysts off guard, emphasizing the need for heightened vigilance.
Recommendations for Users:
1. Download Software from Trusted Sources: Always obtain software from official websites or reputable platforms to minimize the risk of downloading malicious installers.
2. Verify Digital Signatures: Before executing any installer, check for valid digital signatures to ensure the software’s authenticity.
3. Maintain Updated Security Software: Keep antivirus and anti-malware programs up to date to detect and prevent the latest threats.
4. Be Cautious with File-Sharing Platforms: Exercise caution when downloading files from platforms like Mediafire and Discord, as they can be exploited to distribute malware.
Recommendations for Organizations:
1. Implement Application Whitelisting: Restrict the execution of unauthorized applications to prevent the installation of malicious software.
2. Monitor Network Traffic: Regularly analyze network traffic for unusual patterns that may indicate communication with C2 servers.
3. Educate Employees: Conduct regular training sessions to raise awareness about phishing tactics and the importance of downloading software from legitimate sources.
4. Deploy Endpoint Detection and Response (EDR) Solutions: Utilize EDR tools to detect and respond to suspicious activities on endpoints promptly.
Conclusion
The Stealit malware campaign highlights the innovative methods cybercriminals employ to distribute malware by exploiting legitimate software features. By understanding the mechanisms of such threats and implementing robust security practices, both individuals and organizations can enhance their defenses against these evolving cyber threats.
