Malware distributors have been using NodeLoader, a loader developed in Node.js, to outsmart security measures and distribute infostealers and cryptominers to gamers. In this recent wave of malicious activity, cybercriminals are leveraging popular platforms like YouTube and Discord to share links that claim to lead to game hacks hosted on fake gaming websites.
The deceptive game hack/Cheat file is usually disguised as a malicious ZIP archive. When users extract the contents, they come across a harmful executable file that is compiled in Node.js. Once the users run this file, it scans the system for certain running processes such as Chrome, Opera, Firefox, Steam, Spotify, Discord, Telegram, Microsoft Gaming Install Services, Lightshot, and Epic Games Launcher.
If any of the specified processes are detected, the malicious executable downloads a PowerShell script, which in turn fetches and saves two additional executables – the XMRig cryptocurrency miner and the Phemerone Stealer. The XMRig miner aims to avoid detection, tries to interfere with the Windows Event Log Service, deletes Windows updates associated with the Windows Malicious Software Removal Tool, and installs a service to establish persistence. On the other hand, the Phemerone Stealer is capable of stealing login credentials, cookies, and other information from Google and Microsoft browsers, then transmitting it to a designated Telegram channel.
Researchers at Zscaler discovered that alongside downloading the Phemerone Stealer, threat actors utilized a separate malicious link to distribute a loader for Lumma Stealer in this particular operation.
The question arises – Why are attackers choosing to utilize Node.js in their malicious operations? Despite being a robust framework for web development, Node.js can be employed to craft command line tools and client-side applications for various desktop platforms. The NodeLoader’s code, written in JavaScript using Node.js, is compiled into a binary executable using the pkg module. This process encapsulates everything essential for executing the Node.js code, including the V8 JavaScript engine library.
When the code is compiled with the pkg npm module, it results in a significantly large Windows binary file exceeding 35MB. This substantial file size poses challenges for detection by certain security products. Moreover, there is a scarcity of signatures for identifying malicious JavaScript-based code, resulting in many NodeLoader binaries associated with this campaign evading detection by antivirus and endpoint detection and response (EDR) systems.
As per Zscaler’s detection analysis, the NodeLoader executables identified still exhibit poor antivirus detection rates. However, the final payloads – comprising the cryptominer and the infostealers – are recognized by numerous security solutions.
In conclusion, cybercriminals adopting Node.js in their malicious activities underscores the evolving landscape of cybersecurity threats. With innovative techniques like NodeLoader, threat actors continue to bypass traditional security measures, emphasizing the critical need for proactive and adaptive cybersecurity strategies to safeguard against such advanced threats.