First Node.js-Based Ransomware: Nodera

栏目: IT技术 · 发布时间: 4年前

内容简介:Recently while threat hunting, Quick Heal Security Labs came across an unusual Node.js framework based Nodera ransomware. The use of Node.js framework is not seen commonly across malware families. Latest development by threat actors reveal a nasty and one-

Estimated reading time: 5 minutes

Recently while threat hunting, Quick Heal Security Labs came across an unusual Node.js framework based Nodera ransomware. The use of Node.js framework is not seen commonly across malware families. Latest development by threat actors reveal a nasty and one-of-its-kind ransomware being created; one that uses Node.js framework, which enables it to infect Windows based OS.

Node.js is an open-source, cross-platform, JavaScript run-time environment that executes JavaScript code outside of a browser. It is built on the V8 JavaScript engine. V8 is Google’s open source high-performance JavaScript and WebAssembly engine, written in C++. It is used in Chrome and in Node.js, among others.   It implements ECMAScript and WebAssembly, and runs on Windows 7 or later, macOS 10.12+, and Linux systems that use x64, IA-32, ARM, or MIPS processors. V8 can run standalone, or can be embedded into any C++ application.

Interestingly, users can easily get infected by this Nodera ransomware while browsing online, either by clicking on a malicious HTA file or when served as a malvertisement.

Analysis Details :

The sample received in our lab was vbs script which has multiple embedded js scripts. On execution, it creates a directory “GFp0JAk” at location “%userprofile%\AppData\Local\” .

It also creates a sub-directory “node_modules” for storing Node.js libraries, which are required to execute the JS payload. For execution of those scripts, it requires node.exe which will be downloaded from below URL.

https://nodejs.org/download/release/latest-v8.x/win-x86/node.exe

Downloaded node.exe is stored as GFp0JAk.exe at “%userprofile%\AppData\Local\GFp0JAk”.

It further creates 3 different registry keys “Microsoft Office”“Startup” and  “Windows” at “HKCU\Software\Microsoft\Windows\CurrentVersion\Run\” to make its persistence in system.

First Node.js-Based Ransomware: Nodera

Fig 1 : Registry Entry

It then drops some required libraries such as fs.js, graceful-fs.js, legacy-streams.js, package.json, polyfills.js at “%userprofile%\AppData\Local\GFp0JAk\node_modules\” and also the malicious JS “lLT8PCI.js” at “%userprofile%\AppData\Local\GFp0JAk\” .

Once all required modules are in place, it checks for “%userprofile%\AppData\Local\GFp0JAk\GFp0JAk.exe” . If it is present it will start executing the script by invoking

oShell.Run(strExe & ” ” & outWorkingDir & “\” & strEntPoint, 0, true)

where strExe = “%userprofile%\AppData\Local\GFp0JAk\GFp0JAk.exe”

outWorkingDir = ”%userprofile%\AppData\Local\GFp0JAk\”

strEntPoint = “%userprofile%\AppData\Local\GFp0JAk\lLT8PCI.js”

Actual payload is “lLT8PCI.js” script which performs all ransomware related activities.

In this script, for every user-defined function the author has used Async-Await Generators and Promises. These two are most powerful concepts of Node.js framework. Defining any function prefix with Async keywords, actually allows to write asynchronous code in a synchronous fashion and the return value from the asynchronous function is called the promise, which checks for completion status of a given function.

First Node.js-Based Ransomware: Nodera

Fig 2 : Initialization of variables and Public key

JS script starts with initialization of some variables like “bitcoinAddress” and its price.  Also, it embeds RSA public key of 4096 bit in PEM format as shown in Fig 2.

First Node.js-Based Ransomware: Nodera

Fig 3 : Functions used in script

Initially, it checks for admin rights in “%WinDir%” by trying to create a file with name format {randomname_of_len_4}.{randomname_of_len_2} . “generateKey” function is used to generate random file name and extension.

First Node.js-Based Ransomware: Nodera

Fig 4 : Generate file name and extension

Next it invokes the scan function which enumerates all the drives present in the system and creates a list of them. Only for “C:” drive it has made some exclusion. It considers only the directories which contain user specific files.

First Node.js-Based Ransomware: Nodera

Fig 5 : Targeted Directories

It will generate a file with name “{randomname_of_len_6}.key” which is used to store RSA encrypted AES-256 key. The AES key is generated by using “generateKey” function.

First Node.js-Based Ransomware: Nodera

Fig 6 : All Modules

Before encrypting the files, it kills process as shown in below fig and deletes volume shadow copy.

First Node.js-Based Ransomware: Nodera

Fig 7 : Process Killing

After encrypting file, it appends extension “.encrypted” .

Then it drops two files :

“%userprofile%\AppData\Local\GFp0JAk\“How-to-buy-bitcoins.html”

“%userprofile%\Desktop\Decrypt-your-files.bat”.

First Node.js-Based Ransomware: Nodera

Fig 8 : Ransom Note – How-to-buy-bitcoins.html

Html file is a ransomware note and batch file containing command to execute same JS script with parameter “decryptStatic” which invokes decryption routine.

First Node.js-Based Ransomware: Nodera

Fig 9 : Encrypted Files

This ransomware seems to be in development phase and has some flaws as mentioned below:

  1. It mentions RSA public key of 2048 bit in ransom note, although the public key embedded in script is of 4096 bits.
  2. Hard code destruction time of Private Key “March 1 2018”.
  3. There is no communication channel mentioned in ransom note to receive the private key.

Although it seems to be written by an amateur developer, it is an interesting piece of work and probability of it becoming popular in future is quite high.

How Quick Heal protects its users from such attacks :

Quick Heal products are built with the following multi-layered security that help counter such attacks.

  1. Anti-Ransomware

Specially designed to counter ransomware attacks. This feature detects ransomware by tracking its execution sequence.

  1. Firewall

Blocks malicious attempts to breach network connections.

  1. IDS/IPS

Detects RDP brute force attempts and blocks the remote attacker IP for a defined period.

  1. Virus Protection

Online virus protection service detects the known variants of the ransomware.

  1. Behavior-based Detection System

Tracks the activity of executable files and blocks malicious files.

  1. Back Up and Restore

Helps you take regular backups of your data and restore it whenever needed.

Io C :

7265C1FB74EB9EA3CD98358475620CE54B9033421BA042957135BDEFD078B366 53A95C9126BE8262AFB0821DA4D7137E6C8A4D9B363F91298249CA134D394BF4

Detection name :

VBS.NoderaRansom.36592

JS.NoderaRansom.36593

Subject Matter Expert :

Ravi Gidwani, Goutam Tripathy

Security Labs, Quick Heal Technologies, Ltd.


以上所述就是小编给大家介绍的《First Node.js-Based Ransomware: Nodera》,希望对大家有所帮助,如果大家有任何疑问请给我留言,小编会及时回复大家的。在此也非常感谢大家对 码农网 的支持!

查看所有标签

猜你喜欢:

本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们

写给大忙人看的C++

写给大忙人看的C++

【美】Brian Overland(布莱恩.奥弗兰德) / 卢涛、李颖 / 电子工业出版社 / 2015-8 / 109.00

《写给大忙人看的C++》全面介绍了C++语言知识,既提供了学习C++语言最新功能的捷径,也为快速找到特定问题的答案提供了便利。《写给大忙人看的C++》简明地描述了C++核心语言和标准库中几乎所有的函数、对象和运算符,一目了然地显示了语法、结构和重要函数的信息,内容组织形式便于快速查找信息。《写给大忙人看的C++》精选了实用的例子来深入地讲解概念,还提供了富有挑战性的练习及参考答案,便于读者举一反三......一起来看看 《写给大忙人看的C++》 这本书的介绍吧!

JS 压缩/解压工具
JS 压缩/解压工具

在线压缩/解压 JS 代码

RGB转16进制工具
RGB转16进制工具

RGB HEX 互转工具

HTML 编码/解码
HTML 编码/解码

HTML 编码/解码