Full Report
Kaspersky GReAT experts discovered a new campaign featuring the Tsundere botnet. Node.js-based bots abuse web3 smart contracts and are spread via MSI installers and PowerShell scripts.
Analysis Summary
# Tool/Technique: Tsundere Botnet
## Overview
The Tsundere botnet is a newly discovered malicious campaign that utilizes Node.js-based bots designed to interact with and likely abuse web3 smart contracts on the Ethereum blockchain. Infection is spread through MSI installers and PowerShell scripts, indicating a focus on Windows environments.
## Technical Details
- Type: Malware family (Botnet)
- Platform: Primarily Windows (inferred from MSI and PowerShell usage)
- Capabilities: Executes Node.js payloads, interacts with Ethereum smart contracts, establishes persistent control via C2 mechanisms.
- First Seen: Not specified in the provided context, but this is a "new campaign."
## MITRE ATT&CK Mapping
Given the infection vector and nature of a botnet:
- **TA0001 - Initial Access**
- T1566 - Phishing (If MSI/PowerShell delivered via bait)
- T1189 - Drive-by Compromise (If initial access is web-based leading to file download)
- **TA0002 - Execution**
- T1059 - Command and Scripting Interpreter
- T1059.001 - PowerShell
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (Likely HTTPS or custom protocol for C2)
## Functionality
### Core Capabilities
- **Infection Delivery:** Utilizes MSI installers and PowerShell scripts to execute and establish the bot presence.
- **Bot Implementation:** The malware payload is written using Node.js.
- **Blockchain Interaction:** Specifically designed to abuse web3 smart contracts on the Ethereum network.
### Advanced Features
- **Web3 Integration:** The core sophisticated feature is its ability to interface with and likely exploit decentralized application (dApp) logic or smart contract functionality for malicious purposes (e.g., draining funds, interacting with specific DeFi protocols).
- **C2 via Blockchain:** While the C2 method isn't fully detailed, interaction with the blockchain may serve as a decentralized C2/communication channel or as the final objective mechanism.
## Indicators of Compromise
*Note: Specific hashes, registry keys, and network indicators were not provided in the context.*
- File Hashes: [N/A based on context]
- File Names: MSI installers and associated PowerShell artifacts.
- Registry Keys: [N/A based on context]
- Network Indicators: Communications likely involve RPC endpoints or addresses related to the Ethereum network structure. Node addresses on the blockchain could be tracked. (Defanged examples are not applicable without specific data).
- Behavioral Indicators: Execution chain involving MSI installation leading to PowerShell activities, followed by the launching of a Node.js process with network activity directed towards blockchain nodes or APIs.
## Associated Threat Actors
- Kaspersky GReAT experts discovered this campaign.
- Associated Actor: Not explicitly named, but attributed to the "Tsundere" botnet operation.
## Detection Methods
- Signature-based detection on known malicious MSI payload signatures.
- Behavioral detection focusing on the sequence: MSI execution $\rightarrow$ PowerShell execution $\rightarrow$ Launch of unusual Node.js processes.
- Monitoring for Node.js processes attempting external network connections indicative of blockchain interaction parameters.
## Mitigation Strategies
- Implement strict application whitelisting to control which MSI installers and scripts can execute.
- Application Control solutions should scrutinize PowerShell execution streams originating from installation processes.
- Maintain up-to-date security software capable of detecting Node.js-based threats.
- For organizations interacting heavily with web3, monitor for unusual smart contract interactions originating from internal hosts.
## Related Tools/Techniques
- General Node.js malware frameworks.
- Attack chains utilizing legitimate installers (MSI) for fileless/living-off-the-land execution (LOLBAS).
- Threats targeting cryptocurrency/web3 assets.