🦠 Malware Analysis
===================
🦠 Malware Analysis
Executive summary: Fake utility installers (including speedtest,
manual-reader/finder, PDF tools, and some AI frontends) have been
observed to bundle a portable Node runtime, extract an obfuscated
JavaScript payload, and install a Scheduled Task to execute that JS on
a recurring cycle. The JS speaks to a C2 (observed domain:
cloud.appusagestats[.]com), exfiltrates system identifiers and can
execute arbitrary commands returned by the server.
Technical details:
• The installers are packed with an Inno-Packer and drop a portable
Node runtime folder alongside the visible application executable.
• Persistence is implemented via a Scheduled Task (task.xml) that
executes the dropped node.exe with an obfuscated *.js script on an
approximate 12-hour cadence.
• The JavaScript is heavily obfuscated but decodes into JSON-formatted
POST payloads (e.g., a version string like "0.2.1" and a
JSON.stringify body). The script queries
HKLM\Software\Microsoft\Cryptography for MachineGuid via reg.exe to
uniquely identify hosts.
• The C2 interaction includes encoded/obfuscated POSTs and server
responses that can include commands such as powershell -NoPr... for
remote execution.
Impact and attack mechanics:
• The visible app functions normally, reducing suspicion while the
background agent provides persistent C2 connectivity and remote
execution capabilities.
• This separation increases attack surface: defenders may see only a
benign UI app while a persistent Node-based agent operates
independently.
Detection guidance:
• Search for Scheduled Tasks invoking node.exe outside known
development contexts.
• Detect unexpected portable Node runtimes co-located with third-party
installers.
• Monitor outbound POSTs to uncommon domains like
cloud.appusagestats[.]com and inspect request bodies for JSON
structures and Base64-encoded payloads.
• Track registry queries for
HKLM\Software\Microsoft\Cryptography\MachineGuid from non-standard
processes.
Mitigations:
• Block or alert on execution of portable runtimes from user-writable
directories.
• Restrict scheduled task creation to privileged installers; monitor
changes to task scheduler.
• Enforce egress filtering to limit access to suspicious domains and
use TLS inspection where policies allow.
References & notes:
• Observed artifacts: Inno-Packer installer, portable Node folder,
obfuscated *.js, task.xml, C2 domain cloud.appusagestats[.]com.
🔹 nodejs #powershell #scheduledtask #obfuscation #persistence
🔗 Source: https://security5magics.blogspot.com/2025/09/fake-online-speedtest-application.html
