Full Report
Microsoft is calling attention to an ongoing malvertising campaign that makes use of Node.js to deliver malicious payloads capable of information theft and data exfiltration. The activity, first detected in October 2024, uses lures related to cryptocurrency trading to trick users into installing a rogue installer from fraudulent websites that masquerade as legitimate software like Binance or
Analysis Summary
# Tool/Technique: Malvertising Campaign Delivering Node.js Payloads
## Overview
This summary describes an ongoing malvertising campaign, first detected in October 2024, where threat actors misuse the legitimate Node.js runtime environment to deliver malicious payloads for information theft and data exfiltration. The campaign uses lures related to cryptocurrency trading to trick victims into installing rogue software.
## Technical Details
- Type: Malware Delivery Framework/Technique (leveraging legitimate software)
- Platform: Windows
- Capabilities: Initial system information gathering, persistence establishment, defense evasion, comprehensive system data harvesting, and establishing C2 communication for final payload delivery.
- First Seen: October 2024
## MITRE ATT&CK Mapping
- TA0001 - Initial Access
- T1583.004 - Domains
- T1588.002 - Obtain Capabilities: Tool
- TA0003 - Persistence
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- TA0005 - Defense Evasion
- T1027 - Obfuscated Files or Information (PowerShell commands)
- T1562.001 - Impair Defenses: Disable or Modify Tools (Disabling Defender scans)
- TA0009 - Collection
- T1082 - System Information Discovery
- TA0011 - Command and Control
- T1071.001 - Application Layer Protocol: Web Protocols (HTTPS POST)
## Functionality
### Core Capabilities
- **Delivery via Malvertising:** Exploiting user trust via fraudulent websites impersonating legitimate software (e.g., Binance, TradingView).
- **Initial Execution:** A downloaded installer drops a dynamic-link library (`CustomActions.dll`).
- **System Information Gathering:** `CustomActions.dll` uses Windows Management Instrumentation (WMI) to collect basic system information.
- **Persistence:** Creates a scheduled task to execute subsequent stages.
- **Defense Evasion:** Uses PowerShell to configure exclusions for the running process and current directory from Microsoft Defender for Endpoint scans.
- **Data Staging:** Runs obfuscated PowerShell commands to harvest extensive OS, BIOS, hardware, and application data, coverting it to JSON format.
- **Exfiltration:** Sends harvested data to the C2 server via HTTPS POST requests.
### Advanced Features
- **Node.js Misuse:** The final phase downloads the Node.js runtime and a JavaScript Compiled (JSC) file. The Node.js executable runs the JSC file to establish network connections and steal sensitive browser information.
- **ClickFix Variant:** In some cases, the "ClickFix" social engineering trick is used, leveraging a malicious PowerShell command to download Node.js and execute JavaScript *inline* instead of from a file.
- **C2 Camouflage:** The inline JavaScript is capable of disguising C2 traffic as legitimate Cloudflare activity to bypass network monitoring.
- **Browser Spoofing:** Launches `msedge_proxy.exe` to display the cryptocurrency trading website, maintaining the appearance of legitimate application behavior.
## Indicators of Compromise
- File Hashes: [Not provided in context]
- File Names: `CustomActions.dll`, `msedge_proxy.exe` (potentially abused), Node.js runtime binary, JSC file.
- Registry Keys: Modification of Windows Registry run keys for persistence (ClickFix variant).
- Network Indicators: C2 servers communicating via HTTPS POST (defanged examples not provided, but implied by data exfiltration).
- Behavioral Indicators: Use of WMI for discovery, creation of scheduled tasks, PowerShell execution attempting to modify Microsoft Defender Exclusions, process masquerading (using Node.js for non-standard purposes).
## Associated Threat Actors
- [Not explicitly named for this specific Node.js campaign, though related phishing activities mention "Payroll Pirates" in a different context.]
## Detection Methods
- Signature-based detection: Signatures targeting the known file names (`CustomActions.dll`).
- Behavioral detection: Monitoring for unusual file execution chains starting from installers, WMI queries, creation of scheduled tasks, and PowerShell attempts to modify security product configurations (exclusions).
- YARA rules: Rules targeting string patterns within the downloaded DLL or subsequent scripts.
## Mitigation Strategies
- Prevention measures: Blocking execution from untrusted sources, strong user awareness training regarding malvertising and cryptocurrency schemes.
- Hardening recommendations: Implementing application allow-listing, restricting the use of scripting engines for execution where possible, and ensuring robust endpoint detection and response (EDR) is actively monitoring for dynamic configuration changes to security controls.
## Related Tools/Techniques
- SectopRAT (ArechClient2): Mentioned in connection with a distinct PDF-converter phishing campaign using ClickFix, demonstrating similar social engineering tactics.
- ClickFix Social Engineering Trick: A technique used in parallel or as an alternate infection sequence for inline JavaScript execution via Node.js.
- PHP-based kit: Used by one threat group targeting HR portals in a separate phishing campaign.