Node.js Malware Targeting Crypto Users Spreads via Fake Installers
VTA-004512 – Node.js Malware Targeting Crypto Users Spreads via Fake Installers
A new malvertising campaign is exploiting Node.js developers and cryptocurrency users by delivering malicious npm packages disguised as legitimate tools. The attack primarily affects developers who rely on npm for dependencies, as well as crypto traders who may unknowingly install compromised packages. The damage can be severe, ranging from stolen credentials and cryptocurrency wallets to complete system compromise, leading to significant financial losses.
The technique used by these attackers is typosquatting – creating fake npm packages with names similar to popular ones – to trick users into downloading them. Once executed, the installer deploys a malicious DLL (CustomActions.dll), which collects system data via Windows Management Instrumentation (WMI) and establishes persistence through scheduled tasks. The DLL also employs obfuscated PowerShell commands to evade Microsoft Defender for Endpoint by excluding the PowerShell process and current directory from scanning. Additionally, the malware opens a decoy msedge_proxy window displaying a legitimate cryptocurrency trading site to avoid suspicion. The PowerShell scripts then retrieve system and BIOS information, package it as JSON, and exfiltrate it to a command-and-control (C2) server. In the final stage, the malware downloads a Node.js runtime and a compiled JavaScript file, which executes to establish network connections and likely harvests sensitive browser data, including cryptocurrency wallet credentials.
To mitigate this threat, developers should always verify package sources, check download counts, and review dependencies before installation. Tools like npm audit can help detect suspicious packages, while enabling two-factor authentication (2FA) for npm accounts adds an extra layer of security. Additionally, keeping systems updated and using endpoint protection solutions can reduce the risk of infection. Vigilance and skepticism toward unfamiliar packages are key to avoiding such attacks. As Node.js-based threats rise, proactive monitoring of JavaScript execution and network traffic is critical to detecting and stopping such attacks early.
Severity:
Medium
Attack Surface:
Endpoint, File Transfer, Web Browser
Tactics:
Collection, Command and Control, Credential Access, Defense Evasion, Discovery, Exfiltration, Initial Access, Persistence
Techniques:
T1189 – Drive-by Compromise
T1053.005 – Scheduled Task/Job: Scheduled Task
T1564.001 – Hide Artifacts: Hidden Files and Directories
T1027 – Obfuscated Files or Information
T1497.003 – Virtualization/Sandbox Evasion: Time Based Evasion
T1082 – System Information Discovery
T1003 – OS Credential Dumping
T1005 – Data from Local System
T1071.001 – Application Layer Protocol: Web Protocols
T1105 – Ingress Tool Transfer
T1041 – Exfiltration Over C2 Channel
SuperPRO’s Threat Countermeasures Procedures:
1. Always verify the source and reputation of npm packages before installation.
2. Use tools like npm audit and package-lock.json to detect suspicious or unexpected dependencies.
3. Monitor for unusual behavior from node.exe, especially in non-development environments.
4. Enable tamper protection and application control to block unauthorized Node.js or PowerShell executions.
5. Train developers to avoid running unknown installers or scripts from unofficial sources.
6. Block obfuscated PowerShell and WMI activity using attack surface reduction (ASR) rules.
7. Investigate the creation of scheduled tasks or suspicious persistence mechanisms.
8. Keep systems, development environments, and security tools updated with the latest patches.
Contributed by: Tasneem