NodeJS backdoors delivering proxyware and monetization schemes

SUMMARY :

This report details a campaign involving NodeJS backdoors used to distribute proxyware and monetization schemes. The attackers employ Inno setup installers to drop PowerShell scripts that download and execute NodeJS packages with malicious JavaScript. The backdoors collect system information, communicate with command and control servers, and can execute various commands including PowerShell scripts and additional Node.js code. The campaign is associated with multiple proxyware applications like Infatica, Honeygain, earnFM, and PacketLab. The attackers also use browser extensions to track user navigation and potentially redirect to malicious URLs. The infrastructure involves numerous domains and cloud services for hosting malware and command and control.

OPENCTI LABELS :

backdoor,powershell,proxyware,browser extension,nodejs,honeygain,infatica,packetlab,monetization


AI COMMENTARY :

1. In recent threat intelligence reporting, researchers have uncovered a sophisticated campaign centered on NodeJS backdoors delivering proxyware and monetization schemes. These backdoors are packaged within Inno Setup installers that look innocuous at first glance. Once deployed on a target machine, the installer drops malicious PowerShell scripts that serve as the initial foothold for subsequent payload delivery and execution.

2. The attack chain begins when the PowerShell scripts establish contact with remote servers to download and execute NodeJS packages containing obfuscated JavaScript code. This layered approach allows attackers to leverage the cross-platform capabilities of NodeJS while maintaining a low profile. The malicious packages rely on NodeJS modules and libraries to perform advanced functions without raising immediate suspicion from endpoint defenses.

3. After installation, the NodeJS backdoors collect extensive system information, including operating system version, hardware identifiers, and installed software. The gathered data is transmitted back to command and control (C2) servers via encrypted channels. In response, the C2 infrastructure issues commands that enable the backdoor to run additional PowerShell scripts, fetch new NodeJS modules, or even inject arbitrary JavaScript code to expand its functionality or pivot to other network segments.

4. A distinguishing feature of this campaign is its integration with multiple proxyware applications such as Infatica, Honeygain, earnFM, and PacketLab. By abusing legitimate proxyware services, attackers mask malicious traffic as benign data transfers. The backdoor orchestrates these proxy connections to route traffic through compromised hosts, thereby monetizing each infected endpoint. Revenue streams are generated every time a proxyware client relays web requests, effectively turning victims into unwitting participants in a pay-per-usage scheme.

5. Beyond proxyware, the adversaries deploy malicious browser extensions that monitor user navigation and inject redirects to monetized or phishing sites. These extensions can silently capture browsing habits, intercept form submissions, and even harvest session tokens. When users browse to high-value domains, the extensions may redirect them to exploit kits or landing pages designed to harvest credentials or deliver additional payloads.

6. The infrastructure supporting this operation spans a multitude of domains and cloud services. Attackers register short-lived domains to host payloads and C2 endpoints, frequently rotating them to avoid detection. Cloud storage and content delivery networks are abused to distribute malware dynamically, while resilient domain generation algorithms ensure continuity of operations even when specific domains are taken down by security teams.

7. To defend against such a multifaceted threat, organizations should implement strict monitoring of installer packages, enforce application whitelisting, and scrutinize unusual NodeJS processes and PowerShell executions. Network traffic analysis can reveal anomalous connections to known proxyware services or obscure domains. Regular audits of browser extensions and user privileges, combined with up-to-date endpoint detection and response solutions, will help detect and mitigate these backdoors before they can harvest sensitive data or generate illicit revenue.


OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


NodeJS backdoors delivering proxyware and monetization schemes