- #Trend micro chrome extension install
- #Trend micro chrome extension archive
- #Trend micro chrome extension series
How the native NodeJS extension leads to remote access tool
#Trend micro chrome extension archive
Contents of the NodeJS archive (top) code snapshot showing firewall rules being added (center) and a native NodeJS extension being loaded (bottom) The lnk_service.vbs (shown in Figure 4) is then started, which will run service.js - a file with only one line of code responsible for loading a native NodeJS module named app via node-bindings, an open-source helper module.įigure 4.
It indicates the timestamp value of the time it was installed this is later used in the attack chain as a unique victim identifier.
#Trend micro chrome extension install
install_do.js will also install a browser extension to the system’s browser extension directory and creates a timestamp.dat file. It establishes persistence by adding shortcut (LNK) files in the Startup folder. If the process has elevated privileges, it will add new firewall rules to enable traffic between the remote access tool it will install. It then calls the file install.vbs, which in turn calls install_do.js. The macro will first execute node.exe install.js, which executes an installation script that checks if the user has administrator rights and the groups to which the user belongs. The NodeJS ZIP archive contains several files. Macro code of one of the malicious documents Screenshots of the malware-embedded documents, posing as an invoice (top) and another with a missive urging would-be victims to “enable editing” (bottom)įigure 3. We saw two archives with two kinds of payloads: one based on NodeJS, and another based on Java.įigure 2. They all have the same function - dropping and executing a JavaScript file, which downloads a ZIP archive, unpacks it, and executes its contents. The documents are embedded with malicious macro, some of which are obfuscated. Some of the names also suggest the social engineering the documents use: TEST1234.docm, Employment Application(2).dotm, tewst123.dotm, test2.docm, 123.doc, test1111.docm, t1.docm, INVOICE.docm, Invoice_Example.dotm, Doc1.docm, Fake Resume.doc, among others.
The way the malware is named, for instance, indicates it is still under development.
When correlating the variety of malicious documents embedded with DLOADR, we observed certain peculiarities in how it is delivered. Nevertheless, the techniques it employs still make it a credible threat - such as the abuse of legitimate application programming interfaces (APIs) and open-source tools such as Chrome WebDriver and Microsoft WebDriver. This was observed in spam campaigns carrying the TeamSpy malware that abuses TeamViewer to take over affected systems remotely.
More importantly, it also delivers a malicious extension that could serve as a backdoor, stealing information keyed in on browsers.Ībusing legitimate remote access tools (and stealing its configurations) is not new. It delivers a version of the VisIT remote administration tool, which is used to hijack the infected system. The downloader malware's payloads (TROJ_SPYSIVIT.A and JAVA_ SPYSIVIT.A) are what make it notable. Trend Micro detects this malware as JS_DLOADR and W2KM_DLOADR. It appears they are working on a new malware that - based on how they were coded - is most likely intended to spread through spam emails embedded with malicious attachments.
#Trend micro chrome extension series
We noticed a series of testing submissions in VirusTotal that apparently came from the same group of malware developers in Moldova, at least based on the filenames and the submissions' source.
0 kommentar(er)
