Yet Another NodeJS Backdoor (YaNB): A Modern Challenge

SUMMARY :

A resurgence in malicious campaigns exploiting deceptive CAPTCHA verifications has been observed, tricking users into executing NodeJS-based backdoors and deploying sophisticated Remote Access Trojans. The attack begins with a malicious NodeJS script connecting to attacker-controlled infrastructure, remaining passive until further commands are received. An advanced NodeJS RAT variant capable of tunneling malicious traffic through SOCKS5 proxies and using XOR-based encryption was uncovered. The campaign, known as KongTuke, uses compromised websites as initial access points. The malware employs anti-VM mechanisms, collects system information, and establishes persistence. It includes features for command execution, payload dropping, and covert communication. The RAT's functionality includes detailed system reconnaissance, remote command execution, and network traffic tunneling.

OPENCTI LABELS :

backdoor,rat,persistence,captcha,kongtuke,anti-vm,xor encryption,system reconnaissance,nodejs,socks5 proxy,nodejs rat


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Yet Another NodeJS Backdoor (YaNB): A Modern Challenge