Node.js Used in Recent Exploit Campaign

CVE-2014-6332 was leveraged to make use of node.js, a runtime environment for developing server-side applications. NSS' Cyber Advanced Warning System provides the following details:

Screenshot of Threat Detail screen

 

Screenshot of Outbound Network Connections page in Salesforce

Static Analysis

Install1.exe
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: b2d948120c1879d869ee9f311f76a248
Size: 152064 bytes

Install1.exe appears to be a Win32 Cabinet Self-Extractor

Strings

index.js
run_node.bat
run.bat
run.vbs
downloadnode.vbs
cc.txt
cmd /c run_node.bat
Software\Microsoft\Windows\CurrentVersion\RunOnce

File names discovered
IXP%03d.TMP
TMP4351$.TMP
msdownld.tmp

 

 Behavioral Analysis

Accessing the url, hxxp://tiptopcom[dot]tv/blog/track1[dot]html, leads to the download of install1.exe. In order for the executable to run properly, it must be run from a folder named 'Processes'.

 Screenshot of Follow TCP Stream screen with several lines of code

Fig 1: After running install1.exe, two GET requests are made to speed555.com

We can then say that install1.exe is a downloader and downloads the files nodejs.exe and nssm.exe.

Checking the hashes with VirusTotal helps indicate that nodejs.exe and nssm.exe are authentic. With nodejs.exe being the windows binary for Node.js and nssm.exe being the windows binary for the Non-Sucking Service Manager.

 

Screenshot a file directory with several .exe's and file size numbers

Fig 2: Process Explorer shows that NSSM is being used to install Node.js onto the system

Screenshot of a properties menu for nssm.exe:3564

Fig 3: The process properties give us the location where nssm.exe is located

Menu box called node_daemon Properties (Local Computer)

Fig 4: The node_daemon service properties show signs of persistence

A screenshot of a Follow TCP Stream screen with a bunch of code

A screenshot of a Follow TCP Stream screen with a bunch of code

Fig 5: Examples of network connections made after the executable was run

Contained in the C:\Users\<USER>\AppData\Roaming\nodejs directory shown by the nssm.exe process details are files index.js, nodejs.exe, run.bat, run.vbs and many more.

Viewing the log files in the nodejs directory shows that the malware sample cannot connect to the callback server at 199.48.227.212 along with other errors. From analyzing the javascript files in the same directory, it appears that this piece of malware creates a server on the host and possibly functions as a bot. Further analysis could be conducted to confirm this hypothesis.

Available IOCs

install1.exe: b2d948120c1879d869ee9f311f76a248 (Md5)
run.vbs: 69f3fd923530185af290342184bc382f (Md5)
index.js: 1d0fa6548ffca2fc62680cadb7cf014d (Md5)
run.bat: df840c7b4d81c4af14e2e84abf73f56a (Md5)

C:\Users\<USER>\AppData\Roaming\nodejs
Speed555.com
199.48.227.212

 

Kevin Valle - Threat Researcher - Follow me on twitter: @demolished23

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.

TAGS: CAWS, Cyber Advanced Warning System, Exploits