Welcome to the Age of Node.js-Based Cross-Platform Malware – InApps 2022

Given the versatility of the Node.js, it would only be a matter of time before the JavaScript runtime would be deployed for nefarious purposes. And so it has come to pass. Last weekend, details surfaced of new ransomware built on Node.js, called Ransom32.

Thanks to Node and JavaScript’s multi-platform capabilities, the malicious software may very well be the first cross-platform JavaScript ransomware package, able to extort money equally easily from Windows, Linux and Mac users (thus far the exploit has only targeted Windows users though).

First reported on December 29, Ransom32 is built on NW.js, a Node-based framework for running JavaScript applications and Node modules on the Windows desktop. Built on the WebKit layout engine, NW.js provides a way of running code originally written for browsers to run directly on top of the operating system.

For malware makers, NW.js can be handy in that it removes the security limitations that browsers set on running JavaScript code, exposing the full power of the underlying OS.

“So while JavaScript is usually tightly sandboxed in your browser and can’t really touch the system it runs upon, NW.js allows for much more control and interaction with the underlying operating system, enabling JavaScript to do almost everything “normal” programming languages like C++ or Delphi can do,” explained Emsisoft’s Fabian Wosar, a researcher for IT security firm Emsisoft, in a blog post detailing the workings of the ransomware.

In this case, Ransom32, once surreptitiously installed, encrypts the user files on the computer, so they can’t be accessed until a fee is paid, in Bitcoin.

For Wosar, the tip-off to Ransom32’s unusual nature was its heft, over 22MB, much larger than the trim 1MB or so of most malware. The package included NW.js, Node, and the JavaScript-based code that runs the malware.

Thus far, this ransomware has propagated through traditional methods, namely through spam email that includes the software as an attachment, usually craftily named to get the user to click on it. Once that happens, the software, contained within a self-extracting WinRAR file, will install itself on the user’s machine such that the malware executes every time the computer boots.

The package also includes a Tor client to communicate with a back-end “command-and-control” server via port 85, to handle duties such as transmitting the key that encrypted the user data, specifying that address to submit the ransom.

“Files are being encrypted using AES with a 128-bit key using CTR as a block mode. A new key is being generated for every file. The key is encrypted using the RSA algorithm and a public key that is being obtained from the C2 server during the first communication,” Wosar wrote, noting the quality of the package indicates that Ransom32 is a professional job.

Like an increasing amount of malware today, Ransom32 is actually offered as a sort of ransomware-as-a-service, pointed out Softpedia in an article about the attack. Customers can customize their own versions of the software through a Tor network “Dark Web” portal. The software’s authors take a 25 percent cut before forwarding the rest of the ransom to its customers.

Indicate your preferred message box to let people know all their data is now locked up? Ransomware-as-a-Service.

Traditionally,  such malware has been written in languages such as C++, Softpedia noted. But NW.js offers the advantage “of packing the runtime and your NW.js into one single executable. So you don’t rely on the user having some kind of existing framework installed,” Wosar told Softpedia.

What makes Ransom32 especially problematic is that because it includes NW.js, a legitimate program, it has been difficult for anti-malware software and service providers to develop a signature to identify the malicious package.

One thing is certain however, Ramsom32 will only be the first of what may very well be a long line of JavaScript-based cross-platform malware.

“Hackers are fundamentally pack animals and when they see something working it inevitably gets replicated by others. So it’s nearly a certainty we’ll see more of these types of attacks throughout 2016, assuming the perpetrators see a reasonable financial yield,” wrote Richard Greene, CEO of the cloud-based cyber security technology company Seculert, in an e-mail. “What will be interesting to see is what type of features the copycats will add that will make it even more dangerous than the variants currently in circulation.”

Images from Emsisoft.