Keypoints
- Initial delivery via a Portuguese PDF that lures users to click a malicious link leading to a downloader.
- The downloader drops require.exe and a clean installer to %TEMP%, then uses DLL search-order hijacking to execute require.exe and fetch the main payload (chrome.exe).
- Main payload is a node.js-based, pkg-packed binary that loads feature libraries (e.g., streamer.js, api.js, Browser.js).
- Capabilities include screen monitoring (via OBS Studio), screen capture (Windows APIs), and browser data theft (cookies, credit cards, downloads, autofill profiles).
- Data and extra modules are stored under %APPDATA%ChromeApplication and bwdat; it can also inject cookies into browsers.
- Evasion and persistence: filename/location checks (anti-analysis), adds Defender exclusions and firewall allowances, and installs a scheduled-task config for startup persistence.
MITRE Techniques
- [T1566.001] Phishing – Delivery via a malicious PDF that “asks the victim to click the malicious link on the PDF file to see the content.”
- [T1204.002] User Execution – The attack relies on the user clicking the embedded link in the PDF (‘asks the victim to click the malicious link’).
- [T1574.001] DLL Search Order Hijacking – The downloader “downloads a DLL … which is executed via DLL-hijacking to run require.exe to download the main module (chrome.exe).”
- [T1027.005] Software Packing – The main module is “a node.js-based malware packed into its executable by pkg,” which hides implementation details.
- [T1539] Steal Web Session Cookie – Byakugan steals browser cookies and can “inject cookies into a specified browser.”
- [T1113] Screen Capture – Uses Windows APIs and OBS Studio for desktop monitoring and screenshots (‘It uses OBS Studio to monitor the victim’s desktop’ / ‘Takes screenshots using Windows APIs’).
- [T1053.005] Scheduled Task – Implements persistence by dropping “a configuration file for the task scheduler into the Defender folder under the base path, which makes it execute automatically when starting up.”
- [T1562.001] Disable or Modify Tools – Alters Windows Defender exclusions and firewall rules to allow its files (‘it sets the path it uses to the Windows Defender’s exclusion path and allows files in the Windows firewall’).
Indicators of Compromise
- [C2 Domains] Command-and-control / attacker panel – thinkforce.com[.]br, blamefade.com[.]br
- [Git repositories] Related code/resources – github[.]com/thomasdev33k, github[.]com/wonderreader (also github[.]com/fefifojs)
- [File names] Dropped or executed binaries – require.exe, Reader_Install_Setup.exe, chrome.exe
- [PDF hashes] Malicious droppers – c7dbb5e9e65a221a5f78328b5a6141dd46a0459b88248e84de345b2a6e52b1d9, c6fe9169764301cadccb252fbed218a1a997922f0df31d3e813b4fe2a3e6326d, and 1 more
- [EXE hashes] Executables observed – 9ef9bbfce214ee10a2e563e56fb6486161c2a623cd91bb5be055f5745edd6479, 4d8eac070b6b95f61055b96fb6567a477dbc335ef163c10514c864d9913d23cb, and 1 more
FortiGuard Labs’ technical analysis shows the infection begins with a social-engineered PDF that directs victims to a downloader; the downloader places a renamed executable (require.exe) and a benign installer in %TEMP% and leverages DLL search-order hijacking to run the renamed binary and pull the primary payload chrome.exe from the attacker-controlled server. The payload is a node.js application packaged with pkg, which loads libraries (streamer.js for OBS-based monitoring, api.js for Windows API screenshots, Browser.js for harvesting cookies/credit cards/downloads/autofill) and stores data under %APPDATA%ChromeApplication (with browser data in the bwdat folder). It can also inject cookies into browsers and download additional modules as needed. The malware includes anti-analysis checks that verify its filename and installation path (exiting if not chrome.exe in the ChromeApplication folder), modifies Defender exclusions and firewall rules to evade detection, and establishes persistence by dropping a task scheduler configuration into its Defender folder to run at startup.