Crypto Users Targeted by Node.js Malvertising Campaign
Discover the latest malvertising campaign leveraging Node.js to target crypto users. Learn about the tactics and implications of this evolving cyber threat.
TL;DR
A recent malvertising campaign has been observed using Node.js to deliver info-stealing malware via fake crypto trading sites like Binance and TradingView. The attack involves deploying malicious scripts that collect system data, evade security tools, and establish persistence.
Microsoft Warns of Node.js Malvertising Campaign Targeting Crypto Users
Microsoft has identified a sophisticated malvertising campaign that leverages Node.js to deliver info-stealing malware. This campaign, observed since October 2024, targets cryptocurrency users by luring them to fake trading sites mimicking popular platforms like Binance and TradingView.
Shift Towards Node.js in Malware Campaigns
Cybercriminals are increasingly adopting Node.js for malware deployment, moving away from traditional scripting languages such as Python and PHP. Node.js, an open-source, cross-platform JavaScript runtime environment, allows attackers to:
- Blend malicious code with legitimate applications
- Bypass security tools
- Maintain persistence within compromised systems
While Node.js-based threats are less common, they represent a growing trend in the evolving landscape of cyber attacks.
Attack Methodology
In the April 2025 attacks, threat actors employ malvertising to direct users to fake websites. These sites offer malicious installers disguised as legitimate software. Once executed, the installer performs several actions:
- Drops a Malicious DLL: The installer deploys a DLL file named “CustomActions.dll” that collects system data via Windows Management Instrumentation (WMI).
- Ensures Persistence: The DLL schedules tasks to maintain persistence.
- Evades Detection: It uses PowerShell commands to exclude certain processes and directories from being scanned by Microsoft Defender for Endpoint.
Decoy and Data Exfiltration
The DLL also launches a decoy by opening an msedge_proxy window displaying a legitimate cryptocurrency trading website. Meanwhile, obfuscated PowerShell scripts fetch additional code from remote URLs, gather detailed system and BIOS information, package it as JSON, and send it to the attacker’s command-and-control (C2) server.
Node.js Execution and Payload Delivery
In another phase of the attack, a PowerShell script downloads an archive from the C2 server. This archive contains the Node.js runtime and a compiled JavaScript file. The Node.js executable runs the script, establishing network connections and likely extracting sensitive browser data.
Inline JavaScript Execution
Researchers have observed another notable technique where inline JavaScript execution via Node.js deploys malicious payloads. In one documented instance, attackers used a ClickFix social engineering tactic to trick users into running a PowerShell command. This command downloads and installs Node.js components, enabling network reconnaissance and disguising command-and-control traffic as legitimate Cloudflare activity.
Mitigation Recommendations
Microsoft has provided a set of recommendations to mitigate threats associated with the misuse of Node.js:
- Monitor for Unusual Activity: Keep an eye on any unusual Node.js processes or network traffic.
- Update Security Tools: Ensure that all security tools are up-to-date and configured to detect and block malicious scripts.
- Educate Users: Train users to recognize and avoid social engineering tactics and malicious downloads.
Follow for Updates
For the latest updates and insights, follow:
Author Information
Source
For more details, visit the full article: Node.js Malvertising Campaign Targets Crypto Users
Conclusion
The evolving use of Node.js in malvertising campaigns highlights the need for enhanced vigilance and updated security measures. As threat actors continue to innovate, staying informed and proactive is crucial for protecting against these emerging threats.
Additional Resources
For further insights, check: