Full Report
A new Stealit campaign uses Node.js Single Executable Application (SEA) to deliver obfuscated malware. FortiGuard Labs details tactics and defenses. Learn more.
Analysis Summary
# New Stealit Campaign Abuses Node.js Single Executable Application
The Stealit malware campaign has updated its tactics, technique, and procedure (TTP) to utilize Node.js' Single Executable Application (SEA) feature to distribute its payloads. This new campaign is notable for its use of a single executable file to run malicious Node.js scripts, making it challenging to detect.
## Key Points
- Stealit malware uses Node.js SEA to distribute payloads.
- The campaign has adopted a single executable application approach similar to Electron.
- Malware is still distributed as disguised installers for games and VPN applications.
- Recent samples are bundled in PyInstaller and common compressed archives.
- The panel website, also serving as the Command-and-Control (C2) server, has moved to new domains.
## Threat Actors
- Stealit: Attribution not available, but associated with a Telegram channel named _StealitPublic_.
- Unknown motivations, but appears to be offering "professional data extraction solutions" through various subscription plans.
## TTPs
- Node.js SEA feature is used to distribute payloads.
- Installer component downloads additional components from the C2 server.
- Scripts are heavily obfuscated to complicate analysis.
- A multi-layered approach is employed before executing the main installer script.
## Affected Systems
- Microsoft Windows
- Android systems (targeted by ransomware deployment)
## Mitigations
- Monitor for suspicious activity and install updates promptly.
- Implement security measures such as anti-ransomware software and robust firewall configurations.
- Utilize endpoint detection and response solutions to detect and contain malicious activity.
## Conclusion
The Stealit campaign represents a notable example of the evolving threat landscape, with malware adapting to evade detection. Understanding these tactics is essential for effective mitigation strategies.