Why are there more and more cyber attacks on software development environments and how is software company security becoming a key issue in the supply chain?
Recently, an interesting latent malware infection was found on a newly onboarded machine at one of our clients (Client). Microsoft Defender for Endpoint (MDE) reported anomalies about the computer shortly after onboarding, but uncovering the inner workings of the malware and the infection methods required thorough investigation, which anonymized version we present in this article with the Client’s approval.
We received a low severity “An active ‘MpTamperBulkExcl’ malware in a command line was prevented from executing on one endpoint” incident in Microsoft Sentinel on 6/6/2023, on a freshly onboarded machine.
The node.exe application tried to add the “C:\” path to the Defender exclusion list, ran by svchost (services.exe, Scheduled Task).
After notifying the Client’s internal SecOps team, the first impression was that it was possibly user activity because of no visible infection, seemingly a development component, and a high integrity scheduled task. But it raised some suspicion, and we investigated the origins of the process. Our investigation resulted in discovering a Scheduled Task with a misleading name and an obfuscated JavaScript file.
At this point, we shared the initial results and decided to investigate in-depth and analyze the artefacts.
The scheduled task (“GPU User Trend”) created before the saved EventLog timeframe (24th May) because the first event containing this task name already had a scheduled, time triggered running.
Since the machine was onboarded to MDE on 6th June, we could not see the MDE telemetry data before that time related to this device. The suspicious activity detection happened immediately after the onboarding.
In the attached JavaScript file that was run by the scheduled node.js executable, the obfuscated functions have some curious names:
The script also utilizes RC4 cryptographic function:
From these, we later concluded that this JavaScript file is a malicious backdoor with the purpose of establishing persistence.
Utilizing hunting KQL queries, we found multiple highly suspicious activity originated from node.exe, initiated from a Scheduled task.
Checking the artifacts with the VirusTotal, multiple downloads and file creations with bad VirusTotal reputation score were reported:
Most of the node.exe downloads originated from “de.mynodejs[.]net” and the attached JavaScript contained the “updatepush[.]com” domain.
Unfortunately, the available logs didn’t provide us enough history to identify the infection source with certainty.
We also concluded that the two domains can be added to a blocklist being good Indicators of Compromise, since the de.mynodejs[.]net site is a fake Node.js site for the malware.
It even appeared in a GitHub issue report at the genuine Node.js project, because a similar misleading infection tricked other people, too, as the following source suggests: https://github.com/nodejs/node/issues/42707
By checking the history of this domain, we discovered that the domain was registered in 2017 and being used for malicious activities and having no benign content otherwise, thus, we continued to investigate and reversing the malware.
The scheduled task start executing the JavaScript file, and in the first step, it downloads an executable to folder C:\Windows\Temp, under a random generated, ID-like name. In our case, the filename including its path was the following: c:\windows\temp\f78bc655-f740-83d5-ab50-da3f06f879d5\121b973a-aa5f-3296-2d1c-e1ba86f899db.exe. This file is also known by VirusTotal, and the security community:
Under the domains section, we find the same domain: de.mynodejs[.]net, but there are some other old, – commonly known as malicious – domains, related to this type of infection, for example, jspixel[.]com. It was the time to start suggesting that the infection has originated from a longtime maintained commercial malware, having the same infrastructure with modest changes. (Note that the same jspixel[.]com domain will show up later in the analysis of the browser extension.)
The executable file is packed with Themida, which is a legit software intended to protect digital products, but this time used by malware developer with the intention of bypassing the security controls. After unpacking the protected content, we had five .dll files and one executable file:
Here we see that the packing happened on 16/06/2022, which is the probable date of the campaign that infected this machine.
The unpacked artifacts show us, that the original files were compiled two years earlier, on 30/04/2018, enforcing our hypotheses that the malware is an old but maintained one, adapted to newer attack campaigns.
The unpacked files are related to cpython, which is the reference implementation of python language, so we can conclude that this part of the malware was developed in python programming language. The dll files’ export functionalities are:
We ran a deep analysis in MDE concerning the “npm-gyp” module, we received a nice and detailed report, from which here we highlight the important facts:
In the installation folder of Node.js, we have found everything intact, but it contains a “npm-gyp” module which is destined for compiling native addon modules for Node.js – which means that the attackers can build any malware implant right in the target machine using python language.
At this stage, we summarized our findings, made our conclusions, and reported it to the customer SecOps team before going further:
Stay tuned for the second part of this article, in which we’ll analyze the malware’s internals in detail.
Building cybersecurity is expensive. In a threat environment that is changing daily, newer and newer defence technologies are emerging that would need to be operated in a highly skills-scarce environment. Moreover, new cybersecurity technologies require knowledge that may not be [...]
