A recent discovery by cybersecurity experts has unveiled an ongoing malicious campaign known as Stealit, which has utilized Node.js’ Single Executable Application (SEA) feature to disseminate its malicious payloads.
Fortinet FortiGuard Labs has revealed that certain variants of the malware have also made use of the open-source Electron framework to distribute the threat. The malware is believed to be spread through fake installers for popular games and VPN apps, which are shared on platforms like Mediafire and Discord.
The SEA feature allows Node.js applications to be packaged and distributed as standalone executables, eliminating the need for Node.js to be pre-installed on the target system.
Security researchers Eduardo Altares and Joie Salvio stated in a report shared with The Hacker News, “Both methods are effective for distributing Node.js-based malware, as they enable execution without the requirement of a pre-installed Node.js runtime or additional dependencies.”
The creators of Stealit have set up a dedicated website offering “professional data extraction solutions” through various subscription plans. This includes a remote access trojan (RAT) that provides features like file extraction, webcam control, live screen monitoring, and ransomware deployment targeting Android and Windows OS.
The pricing for the Windows Stealer starts from $29.99 for a weekly subscription and goes up to $499.99 for a lifetime license. The Android RAT subscription ranges from $99.99 to $1,999.99.
The fake executables include an installer that retrieves the malware components from a command-and-control (C2) server and installs them after conducting anti-analysis checks to avoid detection in virtual or sandbox environments.
During this process, the malware creates a Base64-encoded authentication key, a 12-character alphanumeric code, in the %temp%cache.json file. This key is used for authentication with the C2 server and for subscribers to access the control dashboard to monitor and manage their targets.
The malware is designed to configure Microsoft Defender Antivirus exclusions to avoid detection of the downloaded components folder. The three executable components serve distinct functions:
- save_data.exe is deployed only with elevated privileges to drop a tool called “cache.exe” (from ChromElevator) for extracting data from Chromium-based browsers.
- stats_db.exe extracts data from messaging apps, cryptocurrency wallets, and game-related platforms.
- game_cache.exe ensures persistence on the host by launching upon system reboot, enabling real-time screen streaming, command execution, file transfer, and desktop wallpaper changes.
Fortinet emphasized, “This latest Stealit campaign takes advantage of the experimental Node.js Single Executable Application (SEA) feature, still in active development, to distribute malicious scripts conveniently to systems without Node.js installed. The threat actors may be capitalizing on the feature’s novelty, aiming to catch security tools and analysts off guard.”
