510
Stealit Malware Exploits Node.js SEA To Spread Payloads
A new Stealit malware campaign has been discovered by researchers, leveraging a Node.js feature to distribute payloads. The malware pretends to be game and VPN installers on various online platforms to target victims. To stay safe from this threat, users should only download software installers from official websites.
In a recent report by Fortinet researchers, details about the Stealit malware campaign exploiting the Single Executable Application (SEA) feature in Node.js have been shared. Initially, Stealit malware campaigns used the Electron framework, but the latest campaign utilizes the SEA feature to imitate installers. While Electron packages Node.js scripts as NSIS installers, SEA bundles scripts into binaries natively.
The malware campaign employs a multi-layered approach, with the primary script execution happening at the end. The researchers observed heavy obfuscation in the initial layers, followed by the execution of a previously downloaded component in the memory.
Attackers distributing the malware have been using platforms like Mediafire and Discord, disguising the malware as VPN and game installers to deceive users. The threat actors’ website has shifted to a new domain, promoting the Stealit malware as a data extraction tool with functionalities like file extraction, webcam control, live screen monitoring, and ransomware deployment on mobile and desktop systems.
Given the active nature of this malware campaign, Fortinet recommends users to exercise caution and organizations to provide awareness training to end users to help them identify and avoid such threats.
Share your thoughts in the comments section below.
