NodeLoader Exposed: The Node.js Malware Evading Detection

    Monday, December 16, 2024 In: Threat Research Print

    Date: 12/16/2024

    Severity: High 

    Summary

    It was identified that a malware campaign utilizing Node.js applications on Windows to deliver cryptocurrency miners and information stealers. Dubbed NodeLoader, this malware family uses Node.js-compiled executables to distribute second-stage payloads, including XMRig, Lumma, and Phemedrone Stealer. While Node.js is widely used for developing web-based services like chat applications and online gaming platforms, it is less commonly employed for building native client-side applications for desktop systems. Consequently, antivirus solutions have limited signatures for Node.js-based malware. In this blog, we examine NodeLoader in detail and highlight the innovative techniques used by the threat actors.

    Indicators of Compromise (IOC) List

    Domains\Urls :

    korepi.xyz

    https://chillers.com.ar/temp/lotrik.exe

    condedqpwqm.shop

    locatedblsoqp.shop

    stagedchheiqwo.shop

    stamppreewntnq.shop

    millyscroqwp.shop

    caffegclasiqwp.shop

    traineiwnqo.shop

    IP Address :

    195.10.205.253

    Hash : 

    fd4265d9049571e4610944ada00f3077

95013bd1659067c4f11213dcd1de1023

d93a5a607d72c7efc51640c9ec789ea6

bbeacc49e863e9ec1576ba0128f26579

c99b721ae647bd058d0269d9ecb07421

1555940d0adeb059c695ab317a2c641c

dedc2d7f699be025c3282a0f385fd4d5

bfc83f0def461d7113922a1444b957bb

1a6e1620405531211d4c26fc9f29673e

f35825c9bb3ed6e46da5b61363863036

c0be666ffbd3edc3b5bcd9aa6f6a461a

36f9b70a18f331239b6e7ea394837b60

20817afa0a3e77f1b6ccfe6a4488c61c

4cc366dff42687e475c6718f6437f754

b748b605cf8d9e3103701202143aa092

6424419ac4c6f0a24c95233e527c1e8a

c3fc67d2f8a7f517b1a834f923136865

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\Urls  :

    userdomainname like "stagedchheiqwo.shop" or url like "stagedchheiqwo.shop" or userdomainname like "traineiwnqo.shop" or url like "traineiwnqo.shop" or userdomainname like "korepi.xyz" or url like "korepi.xyz" or userdomainname like "stamppreewntnq.shop" or url like "stamppreewntnq.shop" or userdomainname like "locatedblsoqp.shop" or url like "locatedblsoqp.shop" or userdomainname like "millyscroqwp.shop" or url like "millyscroqwp.shop" or userdomainname like "https://chillers.com.ar/temp/lotrik.exe" or url like "https://chillers.com.ar/temp/lotrik.exe" or userdomainname like "condedqpwqm.shop" or url like "condedqpwqm.shop" or userdomainname like "caffegclasiqwp.shop" or url like "caffegclasiqwp.shop"

    IP Address :

    dstipaddress IN ("195.10.205.253") or ipaddress IN ("195.10.205.253") or publicipaddress IN ("195.10.205.253") or srcipaddress IN ("195.10.205.253")

    Hash :

    md5hash IN ("c3fc67d2f8a7f517b1a834f923136865","36f9b70a18f331239b6e7ea394837b60","d93a5a607d72c7efc51640c9ec789ea6","6424419ac4c6f0a24c95233e527c1e8a","fd4265d9049571e4610944ada00f3077","c0be666ffbd3edc3b5bcd9aa6f6a461a","4cc366dff42687e475c6718f6437f754","95013bd1659067c4f11213dcd1de1023","bbeacc49e863e9ec1576ba0128f26579","c99b721ae647bd058d0269d9ecb07421","1555940d0adeb059c695ab317a2c641c","dedc2d7f699be025c3282a0f385fd4d5","bfc83f0def461d7113922a1444b957bb","1a6e1620405531211d4c26fc9f29673e","f35825c9bb3ed6e46da5b61363863036","20817afa0a3e77f1b6ccfe6a4488c61c","b748b605cf8d9e3103701202143aa092")

    Reference:   

    https://www.zscaler.com/blogs/security-research/nodeloader-exposed-node-js-malware-evading-detection 


    Tags

    MalwareNodeLoaderPhemedroneLumma Stealer

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.