Threat Research

Exploring V8 JavaScript Usage in Malware

Checkpoint

Check Point Research examines how attackers use compiled V8 JavaScript to disguise malware by turning JavaScript into serialized V8 bytecode, making static analysis harder. The article introduces View8, a decompiler that translates V8 bytecode into readable code and showcases ChromeLoader, ransomware, wipers, and a shellcode loader as real-world examples of this technique. #ChromeLoader #View8 #CompiledV8 #V8Bytecode #TurkoRat #MiraiStealer

Keypoints

  • Compiled V8 JavaScript turns JavaScript into serialized bytecode to evade static detections and hide source code.
  • View8 is a new open-source tool that decompiles V8 bytecode into a high-level, JavaScript-like language to aid analysis.
  • Malware families including stealers, loaders, RATS, wipers, and ransomware have been observed using V8 bytecode with low VirusTotal detection.
  • ChromeLoader embeds an encrypted V8 payload, uses Electron, and reads a base64 string that is decrypted with RC4 to obtain the final payload.
  • Ransomware and wiper samples encrypt or destroy files and report victim data to a C2 channel (Discord webhook in some configs).
  • A shellcode loader uses ffi-napi and ref-napi to fetch and execute dynamic shellcode in memory via Windows API calls.
  • View8 enabled researchers to decompile thousands of samples and extract configurations, C2 domains, and encryption details that were hidden in the bytecode.

MITRE Techniques

  • [T1059.007] JavaScript – Attackers compile plain JavaScript into serialized V8 bytecode and execute it via Node.js VM, e.g., “To leverage this feature and compile plain JavaScript into serialized V8 bytecode, we can utilize the built-in vm module…”
  • [T1027] Obfuscated/Compressed Data – The loader decodes base64, then decrypts with RC4 to obtain the payload, e.g., “reads a base64 string, decodes it, and decrypts it using RC4.”
  • [T1105] Ingress Tool Transfer – The shellcode loader fetches dynamic x64 shellcodes from a remote C&C server, e.g., “to fetch dynamic x64 shellcodes from a remote C&C server…”
  • [T1055] Process Injection – The shellcode loader allocates memory and executes shellcode in memory using Windows APIs (VirtualAlloc, RtlMoveMemory, CreateThread).
  • [T1486] Data Encrypted for Impact – Ransomware encrypts files using AES encryption, e.g., “encrypts them using AES encryption algorithm.”
  • [T1485] Data Destruction – A wiper overwrites files with random strings, e.g., “overwrites them with random strings.”
  • [T1071.001] Web Protocols – C2 communications via web services (Discord webhook acts as a C&C), e.g., “Discord webhook that acts as a C&C.”

Indicators of Compromise

  • [File Hash] e73c59ec8ee0b7bcc2b26e740946a121f73c98355dc87b177ebe77258b403d63 – Ransomware sample packed with node PKG.
  • [File Hash] 2e74d21cade1c7ef78dd3bfa06f686cb41a045bb52e0151c1bb51474b97dd2dc – Wiper sample overwriting files with random strings.
  • [URL] https://research.checkpoint.com/2024/exploring-compiled-v8-javascript-usage-in-malware/ – original source article for this write-up.
  • [URL] https://github.com/suleram/View8 – View8 decompiler project used to translate V8 bytecode to readable code.
  • [URL] https://github.com/FLB-Music/FLB-Music-Player – ChromeLoader variant used as a base for forking/open-source apps.
  • [URL] https://github.com/praharshjain/Electron-PDF-Viewer – ChromeLoader variant used as a base for Electron packaging.

Read more: https://research.checkpoint.com/2024/exploring-compiled-v8-javascript-usage-in-malware/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint