Hackers Leveraging Compiled V8 JavaScript In Wild To Deploy Malware


Hackers exploit compiled V8 JavaScript to obfuscate their malicious code, as the compiled bytecode effectively hides the malware’s original source code and intentions.

Recently, the use of compiled V8 JavaScript by malware authors has been investigated by Check Point Research.

EHA

This technique is the process of compiling JavaScript into low-level bytecode, which helps threat actors to go unnoticed and hide their source code.

Cybersecurity researchers analyzed thousands of malicious applications that included Remote Access Trojans (RATs), stealers, miners, and ransomware using a custom tool called View8 for decompiling V8 bytecode.

Despite its usage in actual attacks, few samples were found with low detection rates, as people rarely examine the compiled V8.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

Leveraging V8 JavaScript for Malware Attack

Hackers use compiled V8 JavaScript to hide malicious code and avoid detection.

The research has shown that a number of tools, such as View8, can be used to decompile numerous malicious V8 bytecode samples, which expose different malware types that have low detection rates.

Some examples are ChromeLoader, which uses encrypted V8 bytecode payloads, and some ransomware strains that utilize AES encryption for files.

Hackers Leveraging Compiled V8 JavaScript In Wild To Deploy Malware
Overview of ChromeLoader (Source – CheckPoint)

Due to this, one of the major concerns in cyber security is that enables attackers to hide their intent and outsmart the conventional security mechanisms.

These threats often had low detection rates on VirusTotal which highlights the effectiveness of the V8 bytecode.

A recently discovered malware managed to work as an advanced shellcode loader, which can get and execute x64 dynamic shellcodes from a remote command and control server.

By employing the ffi-napi and ref-napi modules, it is possible to load and call dynamic libraries by using only JavaScript.

It talks to its C&C server in order to get the shellcode which it loads into system memory and then executes via Windows API functions.

The malware’s analysis revealed some similarities with a GitHub repository named ‘node-shellcode’, indicating that the authors might have adapted or been influenced by this open-source project.

The threat actors are increasingly using V8 technology to create advanced malware that exploits its wide acceptance and sophisticated design to escape detection.

Here the security analysts illustrated the use of V8 compiled code in malicious software, emphasizing ChromeLoader as an illustration of a high level of technical knowledge.

The researchers present View8, a new interpreter for V8-compiled code that makes it easier to analyze V8-based malware.

The cybersecurity community will develop insights and tools like View8 to strengthen detection and mitigation strategies against evolving threats, which can lead to the discovery of previously unknown V8 malware variations.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo



Source link