CVE-2014-6332 was leveraged to make use of node.js, a runtime environment for developing server-side applications. NSS’ Cyber Advanced Warning System provides the following details:
Type: PE32 executable (GUI) Intel 80386, for MS Windows
Size: 152064 bytes
Install1.exe appears to be a Win32 Cabinet Self-Extractor
cmd /c run_node.bat
File names discovered
Accessing the url, hxxp://tiptopcom[dot]tv/blog/track1[dot]html, leads to the download of install1.exe. In order for the executable to run properly, it must be run from a folder named ‘Processes’.
FIG 1: After running install1.exe, two GET requests are made to speed555.com
We can then say that install1.exe is a downloader and downloads the files nodejs.exe and nssm.exe.
Checking the hashes with VirusTotal helps indicate that nodejs.exe and nssm.exe are authentic. With nodejs.exe being the windows binary for Node.js and nssm.exe being the windows binary for the Non-Sucking Service Manager.
FIG 2: Process Explorer shows that NSSM is being used to install Node.js onto the system
FIG 3: The process properties give us the location where nssm.exe is located
FIG 4: The node_daemon service properties show signs of persistence
FIG 5: Examples of network connections made after the executable was run
Contained in the C:\Users\\AppData\Roaming\nodejs directory shown by the nssm.exe process details are files index.js, nodejs.exe, run.bat, run.vbs and many more.
install1.exe: b2d948120c1879d869ee9f311f76a248 (Md5)
run.vbs: 69f3fd923530185af290342184bc382f (Md5)
index.js: 1d0fa6548ffca2fc62680cadb7cf014d (Md5)
run.bat: df840c7b4d81c4af14e2e84abf73f56a (Md5)