Cybersecurity researchers have revealed details of an active malware campaign called “. stearit It leverages the Single Executable Application (SEA) feature of Node.js as a way to distribute payloads.
According to Fortinet FortiGuard Labs, some iterations also employ the open-source Electron framework for malware delivery. The malware is assessed to be propagating through fake installers for games and VPN applications uploaded to file-sharing sites such as Mediafire and Discord.
SEA is a feature that allows you to package and distribute Node.js applications as standalone executables, even on systems that do not have Node.js installed.
“Both approaches are effective for distributing Node.js-based malware because they can run without requiring a pre-installed Node.js runtime or additional dependencies,” security researchers Eduardo Altares and Joie Salvio said in a report shared with The Hacker News.
On its dedicated website, the attackers behind Stealit claim to offer “professional data extraction solutions” through several subscription plans. This includes remote access Trojans (RATs) that support file extraction, webcam control, live screen monitoring, and ransomware deployment targeting both Android and Windows operating systems.
Windows Stealer prices range from $29.99 for a weekly subscription to $499.99 for a perpetual license. Meanwhile, Android RAT prices range from $99.99 to $1,999.99.
Note that the fake executable contains an installer designed to retrieve and install the main components of the malware obtained from command and control (C2), but before doing so it performs a number of anti-analysis checks to ensure that it is running within a virtual or sandboxed environment.
An important part of this step involves writing a Base64-encoded authentication key (a 12-character alphanumeric key) to the %temp%cache.json file. This key is used to authenticate with the C2 server and to log into the dashboard for subscribers to monitor and control their victims.
The malware is also designed to configure exclusions in Microsoft Defender Antivirus so that folders containing downloaded components are not flagged. The functions of the three executables are:
- save data.exethe malware will only be downloaded and executed if it is running with elevated privileges. It is designed to extract information from Chromium-based browsers by dropping a tool named “cache.exe” that is part of the open source project ChromElevator.
- stats_db.exeis designed to extract information from messengers (Telegram, WhatsApp), cryptocurrency wallets and wallet browser extensions (Atomic and Exodus), and gaming-related apps (Steam, Minecraft, GrowTopia, and Epic Games Launcher).
- game cache.exeIt is designed to set persistence on the host by writing a Visual Basic script and communicating with the C2 server to wake up the host on system reboot, stream the victim’s screen in real time, execute arbitrary commands, download/upload files, and change the desktop wallpaper.
“This new Stealit campaign leverages the experimental Node.js Single Executable Application (SEA) feature, which is still in active development, to easily distribute malicious scripts to systems that do not have Node.js installed,” Fortinet said. “The attackers behind this may be looking to exploit the novelty of this feature and rely on the element of surprise, catching security applications and malware analysts off guard.”
