Threat Research

Yet Another NodeJS Backdoor (YaNB): A Modern Challenge

LevelBlue-spiderlabs
Yet Another NodeJS Backdoor (YaNB): A Modern Challenge

Trustwave SpiderLabs has identified a resurgence of malicious campaigns exploiting deceptive CAPTCHA verifications to deploy NodeJS-based backdoors and Remote Access Trojans (RATs), demonstrating a significant increase in these tactics across several malware campaigns. The use of fake CAPTCHA techniques has proven effective as an initial access vector, with implications for various sectors due to the sophistication of these attacks. Affected: Trustwave, NodeJS systems, end-users, cybersecurity sector

Keypoints :

  • Trustwave SpiderLabs conducted an Advanced Continual Threat Hunt and uncovered malicious campaigns utilizing deceptive CAPTCHA verifications.
  • These campaigns deploy NodeJS-based backdoors and Remote Access Trojans (RATs) following initial execution through malicious scripts.
  • The malware waits passively for commands from attackers, leading to further deployment of malicious components.
  • A more advanced NodeJS RAT variant was discovered, capable of tunneling traffic via SOCKS5 proxies and using XOR encryption for communications.
  • The effectiveness of fake CAPTCHA techniques as an entry point suggests ongoing growth and prevalence in their use.
  • The KongTuke campaign is one of several observed that employ similar deceptive techniques in their attack chains.

MITRE Techniques :

  • TA0001 ā€“ Initial Access: T1659 ā€“ Content Injection used via compromised websites to inject malicious scripts.
  • TA0002 ā€“ Execution: T1059 ā€“ Command and Scripting Interpreter utilized for executing scripts across various environments.
  • TA0003 ā€“ Persistence: T1543.003 ā€“ Windows Service exploited to create persistence through Windows services.
  • TA0005 ā€“ Defense Evasion: T1564.003 ā€“ Hidden Window employed to hide component execution from users.
  • TA0007 ā€“ Discovery: T1082 ā€“ System Information Discovery has been leveraged to collect detailed system data.
  • TA0011 ā€“ Command and Control: T1071.001 ā€“ Web Protocols (HTTP/S) utilized for C2 communications.

Indicator of Compromise :

  • [URL] hxxps://inteklabs[.]com/2g6n[.]js
  • [URL] hxxps://ronsamuel[.]com/4r4r[.]js
  • [URL] hxxps://compralibri[.]com/1q2w[.]js
  • [IP Address] hxxp://138.199[.]161.141:8080
  • [IP Address] hxxp://64.94.84[.]217:8080

Full Story: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/yet-another-nodejs-backdoor-yanb-a-modern-challenge/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint