Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,170
- Points
- 113
Check Point reveals the multi-level tactics of cybercriminals.
Check Point has conducted a detailed investigation into the use of the V8 compiled JavaScript engine by attackers. A method exploited by hackers allows you to compile JavaScript into low-level bytecode. This technique helps to hide the source code and avoid static analysis, which makes it almost impossible to analyze malicious files.
V8 is an open source JavaScript engine developed by Google and used in the Chrome browser, as well as in other projects such as Node.js. The main goal of V8 is to optimize and speed up the execution of JavaScript code by converting it to bytecode. However, this feature is also used by attackers to hide the source code of their malware.
To compile JavaScript into bytecode, use the vm module in Node.js that provides the vm.Script method. This method compiles JavaScript code and saves it as bytecode. A more convenient way is to use the bytenode library, which simplifies the process of compiling and executing bytecode.
CPR specialists developed the View8 tool to analyze compiled V8 JavaScript. This tool allows you to decompile V8 bytecode into readable high-level code, which helps you identify and analyze malicious files. It was used to analyze thousands of malicious applications, including remote access Trojans, infostilers, cryptominers, and ransomware.
One example of using compiled V8 JavaScript is ChromeLoader. This malicious software "steals" accounts, steals data, and runs other malicious programs. The malware uses V8 bytecode, which makes it difficult to detect and analyze it. In recent versions of ChromeLoader, the malware uses the Electron framework to create desktop applications that inject malicious scripts.
Samples of ransomware and vipers that encrypt victims files or overwrite them with random data were also found. These programs also use V8 bytecode to hide their actions. For example, one of the detected ransomware samples encrypts files on disk using the AES algorithm and sends information about the victim to the attacker via Discord.
Another type of malware is shell loaders, which download and execute malicious code from remote servers. These programs use the ffi-napi and ref-napi modules to execute dynamic libraries and load the shell into system memory. Loaders communicate with the C2 server to receive and execute malicious code.
Attackers are constantly looking for new ways to hide their actions, and the use of V8 JavaScript is becoming one of these methods. To protect yourself from such threats, it is recommended to use modern analysis tools such as View8, regularly update your antivirus software, and be attentive to suspicious files and links.
Source
Check Point has conducted a detailed investigation into the use of the V8 compiled JavaScript engine by attackers. A method exploited by hackers allows you to compile JavaScript into low-level bytecode. This technique helps to hide the source code and avoid static analysis, which makes it almost impossible to analyze malicious files.
V8 is an open source JavaScript engine developed by Google and used in the Chrome browser, as well as in other projects such as Node.js. The main goal of V8 is to optimize and speed up the execution of JavaScript code by converting it to bytecode. However, this feature is also used by attackers to hide the source code of their malware.
To compile JavaScript into bytecode, use the vm module in Node.js that provides the vm.Script method. This method compiles JavaScript code and saves it as bytecode. A more convenient way is to use the bytenode library, which simplifies the process of compiling and executing bytecode.
CPR specialists developed the View8 tool to analyze compiled V8 JavaScript. This tool allows you to decompile V8 bytecode into readable high-level code, which helps you identify and analyze malicious files. It was used to analyze thousands of malicious applications, including remote access Trojans, infostilers, cryptominers, and ransomware.
One example of using compiled V8 JavaScript is ChromeLoader. This malicious software "steals" accounts, steals data, and runs other malicious programs. The malware uses V8 bytecode, which makes it difficult to detect and analyze it. In recent versions of ChromeLoader, the malware uses the Electron framework to create desktop applications that inject malicious scripts.
Samples of ransomware and vipers that encrypt victims files or overwrite them with random data were also found. These programs also use V8 bytecode to hide their actions. For example, one of the detected ransomware samples encrypts files on disk using the AES algorithm and sends information about the victim to the attacker via Discord.
Another type of malware is shell loaders, which download and execute malicious code from remote servers. These programs use the ffi-napi and ref-napi modules to execute dynamic libraries and load the shell into system memory. Loaders communicate with the C2 server to receive and execute malicious code.
Attackers are constantly looking for new ways to hide their actions, and the use of V8 JavaScript is becoming one of these methods. To protect yourself from such threats, it is recommended to use modern analysis tools such as View8, regularly update your antivirus software, and be attentive to suspicious files and links.
Source
