204
Researchers have discovered a brand new Stealit malware marketing campaign within the wild that exploits a Node.js function to distribute payloads. The malware targets victims by impersonating sport and VPN installers distributed through totally different on-line platforms. Customers should stick with the official software program installers solely, downloading them from the respective official web sites, to keep away from this risk.
Stealit Malware Exploits Node.js SEA To Unfold Payloads
In a latest report, Fortinet researchers have shared particulars concerning the Stealit malware marketing campaign that exploits the Single Executable Software (SEA) function in Node.js.
As defined, preliminary Stealit malware campaigns relied on the Electron framework. Nevertheless, the latest marketing campaign entails exploiting the SEA function to imitate installers. Whereas Electron packages Node.js scripts as NSIS installers, SEA is a local Node.js function to bundle scripts into binaries.
Each approaches facilitated the direct execution of the malware with out requiring a pre-installed Node.js runtime. The researchers additionally observed a brand new malware variant the place the attackers seemingly reverted to the earlier strategy of utilizing Electron, bundling the malicious Node.js scripts with AES-256-GCM encryption. Nevertheless, the experimentation with Node.js SEA may be to evaluate the feasibility of packaging and distributing payloads with out elevating alarms.
Dissecting the malware revealed a multi-layered strategy, with the primary script execution occurring on the finish. The researchers noticed heavy obfuscation within the first and second layers, adopted by the third layer that executes within the reminiscence, just like the second layer. The third layer executes a beforehand downloaded part.
Additionally, this layer checks the goal surroundings for a attainable VM encounter by analyzing the surroundings’s system reminiscence, variety of CPU cores, hostname, username, filenames and paths, community ports, registry, DLL injection, mother or father course of, and the length of its evaluation, to make sure that the malware isn’t working in an evaluation surroundings.
After finishing all anti-analysis checks, it installs the malware parts, reminiscent of save_data.exe, stats_db.exe, and game_cache.exe. These executables extract system data and switch the information to the malware C&C in JSON format. After that, it executes numerous malicious actions on the goal programs based mostly on the instructions acquired from the C&C.
Attackers Use Platforms Like Mediafire, Discord to Distribute Malware
The researchers discovered the risk actors’ web site to have moved to a brand new area, selling the Stealit malware as a knowledge extraction software.
The functionalities marketed on the web site embody file extraction, webcam management, reside display monitoring, and ransomware deployment on cell (Android) and desktop (Home windows) programs.
Within the latest marketing campaign, the risk actors distributed the malware through public file-sharing platforms, reminiscent of Mediafire and Discord, mimicking VPN and sport installers to trick customers.
Because the malware marketing campaign is lively within the wild, Fortinet advises customers to stay cautious. Significantly, they advise organizations to rearrange consciousness coaching for his or her finish customers to assist them detect and keep away from such threats.
Tell us your ideas within the feedback.
