8
Researchers have found a new Stealit malware campaign in the wild that exploits a Node.js feature to distribute payloads. The malware targets victims by impersonating game and VPN installers distributed via different online platforms. Users must stick to the official software installers only, downloading them from the respective official websites, to avoid this threat.
Stealit Malware Exploits Node.js SEA To Spread Payloads
In a recent report, Fortinet researchers have shared details about the Stealit malware campaign that exploits the Single Executable Application (SEA) feature in Node.js.
As explained, initial Stealit malware campaigns relied on the Electron framework. However, the recent campaign involves exploiting the SEA feature to mimic installers. While Electron packages Node.js scripts as NSIS installers, SEA is a native Node.js feature to bundle scripts into binaries.
Both approaches facilitated the direct execution of the malware without requiring a pre-installed Node.js runtime. The researchers also noticed a new malware variant where the attackers seemingly reverted to the previous approach of using Electron, bundling the malicious Node.js scripts with AES-256-GCM encryption. However, the experimentation with Node.js SEA might be to assess the feasibility of packaging and distributing payloads without raising alarms.
Dissecting the malware revealed a multi-layered approach, with the main script execution happening at the end. The researchers observed heavy obfuscation in the first and second layers, followed by the third layer that executes in the memory, similar to the second layer. The third layer executes a previously downloaded component.
Also, this layer checks the target environment for a possible VM encounter by analyzing the environment’s system memory, number of CPU cores, hostname, username, filenames and paths, network ports, registry, DLL injection, parent process, and the duration of its analysis, to ensure that the malware isn’t running in an analysis environment.
After completing all anti-analysis checks, it installs the malware components, such as save_data.exe, stats_db.exe, and game_cache.exe. These executables extract system information and transfer the data to the malware C&C in JSON format. After that, it executes various malicious activities on the target systems based on the commands received from the C&C.
Attackers Use Platforms Like Mediafire, Discord to Distribute Malware
The researchers found the threat actors’ website to have moved to a new domain, promoting the Stealit malware as a data extraction tool.
The functionalities advertised on the website include file extraction, webcam control, live screen monitoring, and ransomware deployment on mobile (Android) and desktop (Windows) systems.
In the recent campaign, the threat actors distributed the malware via public file-sharing platforms, such as Mediafire and Discord, mimicking VPN and game installers to trick users.
Since the malware campaign is active in the wild, Fortinet advises users to remain cautious. Particularly, they advise organizations to arrange awareness training for their end users to help them detect and avoid such threats.
Let us know your thoughts in the comments.
