Cybersecurity researchers have disclosed details of an active malware campaign called Stealit that has leveraged Node.js' Single Executable Application (SEA) feature as a way to distribute its payloads.
According to Fortinet FortiGuard Labs, select iterations have also employed the open-source Electron framework to deliver the malware. It's assessed that the malware is being propagated through counterfeit installers for games and VPN applications that are uploaded to file-sharing sites such as Mediafire and Discord.
SEA is a feature that allows Node.js applications to be packaged and distributed as a standalone executable, even on systems without Node.js installed.
"Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies," security researchers Eduardo Altares and Joie Salvio said in a report shared with The Hacker News.
On a dedicated website, the threat actors behind Stealit claim to offer "professional data extraction solutions" via several subscription plans. This includes a remote access trojan (RAT) that supports file extraction, webcam control, live screen monitoring, and ransomware deployment targeting both Android and Windows operating systems.
Prices for the Windows Stealer range from $29.99 for a weekly subscription to $499.99 for a lifetime license. The Android RAT pricing, on the other hand, goes from $99.99 all the way to $1,999.99.
The fake executables contain an installer that's designed to retrieve the main components of the malware retrieved from a command-and-control (C2) and install them, but note that before performing a number of anti-analysis checks to ensure it's running inside a virtual or sandboxed environment.
A crucial aspect of this step involves writing a Base64-encoded authentication key, a 12-character alphanumeric key, to the %temp%\cache.json file. This key is used to authenticate with the C2 server, as well as by subscribers to log in to the dashboard in order to likely monitor and control their victims.
The malware is also engineered to configure Microsoft Defender Antivirus exclusions so that the folder that contains the downloaded components is not flagged. The functions of the three executables are as follows -
- save_data.exe, which is only downloaded and executed if the malware is running with elevated privileges. It's designed to drop a tool named "cache.exe" – which is part of open-source project ChromElevator – to extract information from Chromium-based browsers.
- stats_db.exe, which is designed to extract information from messengers (Telegram, WhatsApp), cryptocurrency wallets and wallet browser extensions (Atomic and Exodus), and game-related apps (Steam, Minecraft, GrowTopia, and Epic Games Launcher).
- game_cache.exe, which is designed to set up persistence on the host by launching its upon system reboot by creating a Visual Basic script and communicating with the C2 server to stream a victim's screen in real-time, execute arbitrary commands, download/upload files, and change desktop wallpaper.
"This new Stealit campaign leverages the experimental Node.js Single Executable Application (SEA) feature, which is still under active development, to conveniently distribute malicious scripts to systems without Node.js installed," Fortinet said. "Threat actors behind this may be exploiting the feature's novelty, relying on the element of surprise, and hoping to catch security applications and malware analysts off guard."
