Blog

CVE-2014-6332 was leveraged to make use of node.js, a runtime environment for developing server-side applications. NSS’ Cyber Advanced Warning System provides the following details:

Static Analysis

Install1.exe
Type: PE32 executable (GUI) Intel 80386, for MS Windows
MD5: b2d948120c1879d869ee9f311f76a248
Size: 152064 bytes

Install1.exe appears to be a Win32 Cabinet Self-Extractor

Strings

index.js
run_node.bat
run.bat
run.vbs
downloadnode.vbs
cc.txt
cmd /c run_node.bat
Software\Microsoft\Windows\CurrentVersion\RunOnce

File names discovered
IXP%03d.TMP
TMP4351$.TMP
msdownld.tmp

Behavioral Analysis

Accessing the url, hxxp://tiptopcom[dot]tv/blog/track1[dot]html, leads to the download of install1.exe. In order for the executable to run properly, it must be run from a folder named ‘Processes’.

FIG 1: After running install1.exe, two GET requests are made to speed555.com

We can then say that install1.exe is a downloader and downloads the files nodejs.exe and nssm.exe.

Checking the hashes with VirusTotal helps indicate that nodejs.exe and nssm.exe are authentic. With nodejs.exe being the windows binary for Node.js and nssm.exe being the windows binary for the Non-Sucking Service Manager.

FIG 2: Process Explorer shows that NSSM is being used to install Node.js onto the system

FIG 3: The process properties give us the location where nssm.exe is located

FIG 4: The node_daemon service properties show signs of persistence

FIG 5: Examples of network connections made after the executable was run

Contained in the C:\Users\\AppData\Roaming\nodejs directory shown by the nssm.exe process details are files index.js, nodejs.exe, run.bat, run.vbs and many more.

Viewing the log files in the nodejs directory shows that the malware sample cannot connect to the callback server at 199.48.227.212 along with other errors. From analyzing the javascript files in the same directory, it appears that this piece of malware creates a server on the host and possibly functions as a bot. Further analysis could be conducted to confirm this hypothesis.

AVAILABLE IOCS

install1.exe: b2d948120c1879d869ee9f311f76a248 (Md5)
run.vbs: 69f3fd923530185af290342184bc382f (Md5)
index.js: 1d0fa6548ffca2fc62680cadb7cf014d (Md5)
run.bat: df840c7b4d81c4af14e2e84abf73f56a (Md5)

C:\Users\\AppData\Roaming\nodejs
Speed555.com
199.48.227.212