Analysing a latent malware infection on a recently MDE-onboarded machine (Part 1)

Recently, an interesting latent malware infection was found on a newly onboarded machine at one of our clients (Client). Microsoft Defender for Endpoint (MDE) reported anomalies about the computer shortly after onboarding, but uncovering the inner workings of the malware and the infection methods required thorough investigation, which anonymized version we present in this article with the Client’s approval.

The case

We received a low severity “An active ‘MpTamperBulkExcl’ malware in a command line was prevented from executing on one endpoint” incident in Microsoft Sentinel on 6/6/2023, on a freshly onboarded machine.

The node.exe application tried to add the “C:\” path to the Defender exclusion list, ran by svchost (services.exe, Scheduled Task).

After notifying the Client’s internal SecOps team, the first impression was that it was possibly user activity because of no visible infection, seemingly a development component, and a high integrity scheduled task. But it raised some suspicion, and we investigated the origins of the process. Our investigation resulted in discovering a Scheduled Task with a misleading name and an obfuscated JavaScript file.

Initial analysis

At this point, we shared the initial results and decided to investigate in-depth and analyze the artefacts.

The scheduled task (“GPU User Trend”) created before the saved EventLog timeframe (24^th May) because the first event containing this task name already had a scheduled, time triggered running.

Since the machine was onboarded to MDE on 6^th June, we could not see the MDE telemetry data before that time related to this device. The suspicious activity detection happened immediately after the onboarding.

In the attached JavaScript file that was run by the scheduled node.js executable, the obfuscated functions have some curious names:

The script also utilizes RC4 cryptographic function:

From these, we later concluded that this JavaScript file is a malicious backdoor with the purpose of establishing persistence.

Utilizing hunting KQL queries, we found multiple highly suspicious activity originated from node.exe, initiated from a Scheduled task.

Checking the artifacts with the VirusTotal, multiple downloads and file creations with bad VirusTotal reputation score were reported:

• 59/71 https://www.virustotal.com/gui/file/f87ed053f4d26ad33aee5e574087aedaa65d932854b7cb065893e1c0fa5db3d5/details
• 3/59 another JavaScript file, categorized as defender tamper: https://www.virustotal.com/gui/file/7e65471f5524a89c0f5ebbf9a3d1f56c49469f2995a899cc67ff86dbc4958116/community

Most of the node.exe downloads originated from “de.mynodejs[.]net” and the attached JavaScript contained the “updatepush[.]com” domain.

Unfortunately, the available logs didn’t provide us enough history to identify the infection source with certainty.

We also concluded that the two domains can be added to a blocklist being good Indicators of Compromise, since the de.mynodejs[.]net site is a fake Node.js site for the malware.

It even appeared in a GitHub issue report at the genuine Node.js project, because a similar misleading infection tricked other people, too, as the following source suggests: https://github.com/nodejs/node/issues/42707

By checking the history of this domain, we discovered that the domain was registered in 2017 and being used for malicious activities and having no benign content otherwise, thus, we continued to investigate and reversing the malware.

Infection vector

The scheduled task start executing the JavaScript file, and in the first step, it downloads an executable to folder C:\Windows\Temp, under a random generated, ID-like name. In our case, the filename including its path was the following: c:\windows\temp\f78bc655-f740-83d5-ab50-da3f06f879d5\121b973a-aa5f-3296-2d1c-e1ba86f899db.exe. This file is also known by VirusTotal, and the security community:

https://www.virustotal.com/gui/file/f87ed053f4d26ad33aee5e574087aedaa65d932854b7cb065893e1c0fa5db3d5/relations

Under the domains section, we find the same domain: de.mynodejs[.]net, but there are some other old, – commonly known as malicious – domains, related to this type of infection, for example, jspixel[.]com. It was the time to start suggesting that the infection has originated from a longtime maintained commercial malware, having the same infrastructure with modest changes. (Note that the same jspixel[.]com domain will show up later in the analysis of the browser extension.)

The executable file is packed with Themida, which is a legit software intended to protect digital products, but this time used by malware developer with the intention of bypassing the security controls. After unpacking the protected content, we had five .dll files and one executable file:

Here we see that the packing happened on 16/06/2022, which is the probable date of the campaign that infected this machine.

The unpacked artifacts show us, that the original files were compiled two years earlier, on 30/04/2018, enforcing our hypotheses that the malware is an old but maintained one, adapted to newer attack campaigns.

The unpacked files are related to cpython, which is the reference implementation of python language, so we can conclude that this part of the malware was developed in python programming language. The dll files’ export functionalities are:

• Crypto
• Socket
• Bzip compression
• Xml parsing

We ran a deep analysis in MDE concerning the “npm-gyp” module, we received a nice and detailed report, from which here we highlight the important facts:

In the installation folder of Node.js, we have found everything intact, but it contains a “npm-gyp” module which is destined for compiling native addon modules for Node.js – which means that the attackers can build any malware implant right in the target machine using python language.

• During the execution, it drops 28 files, from which the most important ones are a BAT file, that will delete the exe itself after execution, Group Policy configuration files and malicious browser extensions (Chrome, Edge, Firefox).
• It drops a .dll in the Application folder of the browser to hijack a legitim .dll and manage a thread injection (in the case of Chrome it is version.dll, and in case of Edge it is cryptbase.dll).
• It will setup the persistence by registering the scheduled task if persistence had not been established before.
• It will force the browser extension to be installed.

At this stage, we summarized our findings, made our conclusions, and reported it to the customer SecOps team before going further:

• The vulnerable Node.js (version node-v6.10.3-x86) was installed by a malicious activity, but it is not downloaded by the user (due to the lack of older logs, we cannot identify the proper source of the malware, i.e., the initial access).
• An exe file is downloaded by the JavaScript task, with a random-generated name of c:\windows\temp\f78bc655-f740-83d5-ab50-da3f06f879d5\121b973a-aa5f-3296-2d1c-e1ba86f899db.exe.
• The scheduled task name is changing every time, always getting some meaningful name. For example, in our lab machine, it was called as “SmartlockerFilterand” and not “GPU User Trend”.
• The exe file is a packed and obfuscated one. In the unpacked state, it contains one exe and five dll files, which are custom-built cpython implementations – having the same compile dates (30/04/2018) and the same timestamp of packing (16/06/2022). These facts suggest that the campaign was conducted probably during the summer of last year, therefore, the machine can be infected since then.
• The malware installs a module to Node.js, “npm-gyp”, which is a legit cross-platform command-line tool written in Node.js for compiling native addon modules for Node.js. Applying this module, the attacker can build any malware implant right in the target machine.
• The exe calls sc.exe and disables the updates of any browser on the machine.
• In the next stage, it installs a browser extension (for Chrome, Edge, or Firefox), change Group Policy to Force the extension install.
• If everything is successful, the extension can steal any data, saved credentials, from the browser. – Therefore, any affected user is required to change his or her login credentials everywhere.
• We found that the extension communicates with a new site: de.withtls[.]net.
• We ran a deep analysis on the activity of the exe.

Stay tuned for the second part of this article, in which we’ll analyze the malware’s internals in detail.