Cybersecurity researchers have revealed details of an active malware campaign called steal it It has leveraged the single executable application (SEA) feature of Node.js as a way to distribute its payload.
According to Fortinet FortiGuard Labs, select iterations have also employed the open-source Electron framework to distribute the malware. It has been assessed that the malware is being propagated through fake installers for games and VPN applications that are uploaded to file-sharing sites such as MediaFire and Discord.
SEA is a feature that allows Node.js applications to be packaged and distributed as a standalone executable, even on systems without Node.js installed.
“Both approaches are effective for distributing Node.js-based malware, as they allow execution without the need for pre-installed Node.js runtime or additional dependencies,” security researchers Eduardo Altares and Joey Salvio said in a report shared with The Hacker News.
On a dedicated website, the threat actors behind Stealit claim to offer “professional data extraction solutions” through several subscription plans. It includes a remote access trojan (RAT) that supports file extraction, webcam control, live screen monitoring, and ransomware deployment targeting both Android and Windows operating systems.
Windows Stealer prices range from $29.99 for a weekly subscription to $499.99 for a lifetime license. On the other hand, the price of Android RAT goes from $99.99 to $1,999.99.
The fake executable contains an installer that is designed to retrieve the core components of the malware obtained from command-and-control (C2) and install them, but note that it runs inside a virtual or sandboxed environment before performing several anti-analysis checks.
An important aspect of this step involves writing the Base64-encoded authentication key, a 12-character alphanumeric key, into the %temp%\cache.json file. This key is used to authenticate with C2 servers, as well as to log into the dashboard by clients to monitor and control their victims.
The malware has also been engineered to configure Microsoft Defender Antivirus exclusions so that folders containing downloaded components are not flagged. The functions of the three executables are as follows –
- save_data.exeWhich is downloaded and executed only when the malware is running with elevated privileges. It is designed to drop a tool called “cache.exe” to extract information from Chromium-based browsers – which is part of the open-source project ChromElevator.
- statistics_db.exeWhich is designed to extract information from messengers (Telegram, WhatsApp), cryptocurrency wallets and wallet browser extensions (Atomic and Exodus), and game-related apps (Steam, Minecraft, Growtopia, and Epic Games Launcher).
- game_cache.exeWhich is designed to establish persistence on the host by creating a Visual Basic script that launches upon system reboot and communicates with the C2 server to stream the victim’s screen in real time, execute arbitrary commands, download/upload files, and change the desktop wallpaper.
“This new Stealite campaign takes advantage of the experimental Node.js Single Executable Application (SEA) feature, which is still under active development, to easily distribute malicious scripts to systems without Node.js installed,” Fortinet said. “The threat actors behind this may be taking advantage of the novelty of the feature, relying on the element of surprise, and hoping to catch security applications and malware analysts off guard.”
