Get to know more about White Hat's journey in the Microsoft partnership evolution.
Cyber security White Hat todaySeptember 6, 2023 106 5
Recently, an interesting latent malware infection was found on a newly onboarded machine at one of our clients (Client). Microsoft Defender for Endpoint (MDE) reported anomalies about the computer shortly after onboarding, but uncovering the inner workings of the malware and the infection methods required thorough investigation, which anonymized version we present in this article with the Client’s approval.
We received a low severity “An active ‘MpTamperBulkExcl’ malware in a command line was prevented from executing on one endpoint” incident in Microsoft Sentinel on 6/6/2023, on a freshly onboarded machine.
The node.exe application tried to add the “C:\” path to the Defender exclusion list, ran by svchost (services.exe, Scheduled Task).
At this point, we shared the initial results and decided to investigate in-depth and analyze the artefacts.
The scheduled task (“GPU User Trend”) created before the saved EventLog timeframe (24th May) because the first event containing this task name already had a scheduled, time triggered running.
Since the machine was onboarded to MDE on 6th June, we could not see the MDE telemetry data before that time related to this device. The suspicious activity detection happened immediately after the onboarding.
The script also utilizes RC4 cryptographic function:
Utilizing hunting KQL queries, we found multiple highly suspicious activity originated from node.exe, initiated from a Scheduled task.
Checking the artifacts with the VirusTotal, multiple downloads and file creations with bad VirusTotal reputation score were reported:
Unfortunately, the available logs didn’t provide us enough history to identify the infection source with certainty.
We also concluded that the two domains can be added to a blocklist being good Indicators of Compromise, since the de.mynodejs[.]net site is a fake Node.js site for the malware.
It even appeared in a GitHub issue report at the genuine Node.js project, because a similar misleading infection tricked other people, too, as the following source suggests: https://github.com/nodejs/node/issues/42707
By checking the history of this domain, we discovered that the domain was registered in 2017 and being used for malicious activities and having no benign content otherwise, thus, we continued to investigate and reversing the malware.
Under the domains section, we find the same domain: de.mynodejs[.]net, but there are some other old, – commonly known as malicious – domains, related to this type of infection, for example, jspixel[.]com. It was the time to start suggesting that the infection has originated from a longtime maintained commercial malware, having the same infrastructure with modest changes. (Note that the same jspixel[.]com domain will show up later in the analysis of the browser extension.)
The executable file is packed with Themida, which is a legit software intended to protect digital products, but this time used by malware developer with the intention of bypassing the security controls. After unpacking the protected content, we had five .dll files and one executable file:
Here we see that the packing happened on 16/06/2022, which is the probable date of the campaign that infected this machine.
The unpacked artifacts show us, that the original files were compiled two years earlier, on 30/04/2018, enforcing our hypotheses that the malware is an old but maintained one, adapted to newer attack campaigns.
The unpacked files are related to cpython, which is the reference implementation of python language, so we can conclude that this part of the malware was developed in python programming language. The dll files’ export functionalities are:
We ran a deep analysis in MDE concerning the “npm-gyp” module, we received a nice and detailed report, from which here we highlight the important facts:
In the installation folder of Node.js, we have found everything intact, but it contains a “npm-gyp” module which is destined for compiling native addon modules for Node.js – which means that the attackers can build any malware implant right in the target machine using python language.
At this stage, we summarized our findings, made our conclusions, and reported it to the customer SecOps team before going further:
Stay tuned for the second part of this article, in which we’ll analyze the malware’s internals in detail.
Written by: White Hat
Building cybersecurity is expensive. In a threat environment that is changing daily, newer and newer defence technologies are emerging that would need to be operated in a highly skills-scarce environment. Moreover, new cybersecurity technologies require knowledge that may not be [...]
Machine learning is the most widely used of all artificial intelligence solutions, and it’s also the basis for cyber defence.