106. Hunting for Node.js Abuse

Hello everyone! I've already mentioned Node.js yesterday, but I spotted another interesting example I want to share with you.

Microsoft presented a report on how adversaries misuse Node.js to deliver malware. In described case the threat acors use Node.js runtime (node.exe) to run a malicious JSC file (JavaScript compiled file):

node.exe -r .\{filename}.js .\app.jsc

The .jsc extension is unusual in everyday Node.js development, so we can use it for our hunting query:

event_type: "processcreatewin"

AND

proc_file_name: "node.exe" 

AND 

cmdline: "jsc"

Have you observed any other interesting cases of Node.js abuse?

See you tomorrow!