EXECUTIVE SUMMARY
A highly sophisticated threat actor has been identified as behind a campaign using the DinDoor malware, which exploits the Deno runtime to carry out its operations. The threat actor appears to be targeting various sectors and regions, with a primary goal of data theft. The campaign has been linked to the Tsundere Botnet and has been observed using a multi-tenant infrastructure shared with other threat actors, including MuddyWater. The DinDoor malware is delivered via MSI files and relies on the Deno runtime for execution, making it difficult to detect in networks where Deno is allowlisted.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
A highly sophisticated threat actor has been identified as behind a campaign using the DinDoor malware, which exploits the Deno runtime to carry out its operations. The threat actor appears to be targeting various sectors and regions, with a primary goal of data theft. The campaign has been linked to the Tsundere Botnet and has been observed using a multi-tenant infrastructure shared with other threat actors, including MuddyWater. The DinDoor malware is delivered via MSI files and relies on the Deno runtime for execution, making it difficult to detect in networks where Deno is allowlisted.[emaillocker id="1283"]
Once inside, the malware runs obfuscated JavaScript to communicate with its command and control (C2) infrastructure, while fingerprinting victims and fetching follow-on payloads. The malware's execution chain involves the use of Deno, a runtime environment that is increasingly being used by attackers to execute malicious code. DinDoor executes through the Deno runtime, which is a detection gap in environments where monitoring is tuned for PowerShell, Python, or Node.js but lacks coverage for Deno. The malware uses a unique identifier, generated by a dual rolling hash function, to communicate with its C2 infrastructure.
The C2 servers are used to receive commands and send back data to the attacker. The DinDoor malware is significant for organisations as it is difficult to detect and recover from, and it can cause substantial damage to a network. The malware's use of Deno and its ability to run obfuscated JavaScript make it challenging to identify and remove. Organisations should take immediate action to defend against this threat by patching their systems, monitoring for Deno activity, and maintaining regular backups. Additionally, they should ensure that their endpoint protection is up-to-date and configured to detect and block Deno-related activity.
THREAT PROFILE:
| Targeted Sector: Technology & IT
Targeted Region: Global Malware Category: Backdoor Malware Observed: DinDoor EXECUTIVE SUMMARY
A highly sophisticated threat actor has been identified as behind a campaign using the DinDoor malware, which exploits the Deno runtime to carry out its operations. The threat actor appears to be targeting various sectors and regions, with a primary goal of data theft. The campaign has been linked to the Tsundere Botnet and has been observed using a multi-tenant infrastructure shared with other threat actors, including MuddyWater. The DinDoor malware is delivered via MSI files and relies on the Deno runtime for execution, making it difficult to detect in networks where Deno is allowlisted. Once inside, the malware runs obfuscated JavaScript to communicate with its command and control (C2) infrastructure, while fingerprinting victims and fetching follow-on payloads. The malware's execution chain involves the use of Deno, a runtime environment that is increasingly being used by attackers to execute malicious code. DinDoor executes through the Deno runtime, which is a detection gap in environments where monitoring is tuned for PowerShell, Python, or Node.js but lacks coverage for Deno. The malware uses a unique identifier, generated by a dual rolling hash function, to communicate with its C2 infrastructure. The C2 servers are used to receive commands and send back data to the attacker. The DinDoor malware is significant for organisations as it is difficult to detect and recover from, and it can cause substantial damage to a network. The malware's use of Deno and its ability to run obfuscated JavaScript make it challenging to identify and remove. Organisations should take immediate action to defend against this threat by patching their systems, monitoring for Deno activity, and maintaining regular backups. Additionally, they should ensure that their endpoint protection is up-to-date and configured to detect and block Deno-related activity. THREAT PROFILE:
|
REFERENCES:
reports contain further technical details:
https://cybersecuritynews.com/new-dindoor-backdoor-abuses-deno-runtime/
https://hunt.io/blog/dindoor-deno-runtime-backdoor-msi-analysis