Hackers use JavaScript frameworks since they offer a wide range of functionalities and tools that could be used to bypass detection, hide code, and carry out harmful acts.
In addition, they take advantage of the people’s trust in such popular frameworks by developers as well as companies, making it simpler for them to evade security controls.
Moreover, JavaScript, on its part, is cross-platform and open to multiplatform attacks.
Cybersecurity researchers at ReliaQuest identified that hackers employ JavaScript frameworks to trick users into copying, pasting, and executing commands.
With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis
Hackers Employ JavaScript Framework
In May 2024, ReliaQuest discovered another campaign by the ClearFake JavaScript framework that requires users to manually copy and execute harmful PowerShell code as opposed to the drive-by downloads, where it is just clicked.
This method intends to avoid security tools while the commands are run directly by a user, leading to multi-stage malware infection and installation of LummaC2 infostealer.
Although less likely to fool users successfully, it could bypass detections and controls if done right.
PowerShell restrictions must be reviewed in organizations, users should be educated, and mitigations must be implemented against this newly emerging threat.
The JavaScript framework ClearFake extensively uses drive-by downloads and social engineering strategies. It commonly displays fake “browser update” messages that entice users into downloading infected files.
In a recent campaign, it broke into real websites to show fake browser errors, asking the user to run obscure PowerShell commands that would install a “root certificate.”
It evades detection by initiating the Explorer.exe without any parent process or command line.
When executed manually, the base64 encoded PowerShell code finally drops LummaC2 malware onto compromised machines.
Once the PowerShell execution has been obscured, the attacker domain makes a user agent check, and then another PowerShell script is downloaded.
In this manner, it checks CPU temperature for sandbox avoidance, and if it is null, it stops running the script. Otherwise, it will download a ZIP file containing an original MediaInfo.exe and a malware DLL.
Consequently, when MediaInfo.exe runs, it loads the LummaC2 malware payload through DLL sideloading.
Recommendations
Here below we have mentioned all the recommendations:-
Deploy application control to restrict unauthorized PowerShell execution.
Enhance user awareness on threats of executing untrusted code.
Regularly patch websites and tools to prevent code injection vulnerabilities.
Block access to suspicious newly registered domains like .xyz TLDs.
Implement restrictive WDAC policies to constrain malicious PowerShell functions.
Integrate endpoint security with AMSI for script command analysis.
Enforce restrictive PowerShell execution policies.
IOCs
Hashes
a467302da10ace0bf96963bcd6bdcd6a4e619e28cd477612988276dfee9f429e
4d417cff26e83e096f6c161a10d6a72774b8bbc8948bf5b6d3156e6f17adac5f
4a058f08157863034a6df89cddc13e81a561eb9ca0e955f4fe38f4ba7b4fa9f7
44a45c396516a3f2705eaf9751a06d346fcae1864f5521356349ce85e78fd386
Attacker-Controlled Domains
baqebei1[.]online
cdnforfiles[.]xyz
d1x9q8w2e4[.]xyz
Attacker-Controlled IP Addresses
104[.]21[.]29[.]92
172[.]67[.]148[.]183
188[.]114[.]97[.]7
Infected Websites
lambhuaexpress[.]in
soundmine[.]me
helena[.]pe
rijas[.]com
navigatingthisspace[.]com
sportrealeyes[.]it
areadeturismo[.]tur[.]ar
th3sport24[.]com
manchac[.]com
tonitto[.]com
aedjakodu24[.]ee
Looking for Full Data Breach Protection? Try Cynet’s All-in-One Cybersecurity Platform for MSPs: Try Free Demo
The post Hackers Employ JavaScript Framework To Trick Users Copy, Paste And Command Execution appeared first on Cyber Security News.
