Full Report
The LevelBlue Managed Threat Research team investigated a security alert in a customer environment involving a malicious ZIP file containing a Windows shortcut (.lnk) used for initial execution. When triggered, the LNK file executes a hidden PowerShell command that downloads a legitimate node.exe binary and deploys a NodeJS-based backdoor. The malware also uses the EtherHiding technique, leveraging the TON blockchain to retrieve its command-and-control (C2) address.
Analysis Summary
# Tool/Technique: EtherHiding via TON Blockchain (Node.js Backdoor)
## Overview
This attack involves a multi-stage execution chain that delivers a sophisticated Node.js-based backdoor. The campaign is notable for its use of "EtherHiding," a technique that exploits the immutability of blockchain technology—specifically the TON (The Open Network) blockchain—to host and retrieve command-and-control (C2) infrastructure addresses, making them difficult for defenders to take down.
## Technical Details
- **Type:** Malware (Backdoor) / Technique (EtherHiding)
- **Platform:** Windows
- **Capabilities:** Information stealing, remote command execution, persistence, and virtual machine (VM) obfuscation.
- **First Seen:** Approximately July 2024 (based on report date).
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.002 - Phishing: Spearphishing Link
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.003 - Command and Scripting Interpreter: Windows Command Shell
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.007 - Dynamic API Resolution
- T1140 - Deinterlace/Decode Files or Information
- T1564.003 - Hide Artifacts: Hidden Window
- **TA0011 - Command and Control**
- T1102.003 - Web Service: One-Way Communication (Blockchain)
- T1568 - Dynamic Resolution (EtherHiding)
## Functionality
### Core Capabilities
- **Multi-Stage Loading:** Uses a malicious .lnk file disguised as an image to trigger a PowerShell chain.
- **Environment Preparation:** Dynamically checks for `node.exe`; if absent, it downloads a legitimate Node.js binary from the official website to run the malicious JavaScript.
- **C2 Retrieval:** Uses the TON blockchain to fetch the actual C2 server address, bypassing traditional DNS-based blocking.
- **Payload Decryption:** Employs AES-128-CBC and Base64 decoding to reveal the final stage JavaScript.
### Advanced Features
- **VM-Based Obfuscation:** The Node.js backdoor utilizes a custom bytecode virtual machine (VM) interpreter, making static analysis and reverse engineering highly complex.
- **Numeric Obfuscation:** The initial LNK/PowerShell stage uses large integer arithmetic (BigInt) and bitwise shifting to reconstruct malicious URLs without using plain strings.
## Indicators of Compromise
- **File Names:** `node.exe`, `node-v24.13.0-win-x64.zip` (legitimate binaries used maliciously).
- **Network Indicators (Defanged):**
- `hxxps[://]share[.]google/YLoRYlokrW3iner8r` (Initial redirector)
- `hxxps[://]recordstrace[.]info/5bC6vVOeP9PI3B08` (Malicious redirector/host)
- `hxxps[://]nodejs[.]org/dist/v24.13.0/node-v24.13.0-win-x64.zip` (Source of legitimate Node binary)
- **Behavioral Indicators:**
- Launching PowerShell with large integer arithmetic commands.
- Unexpected creation of `node.exe` in `%LocalAppData%`.
- Process execution of `node.exe` with a heavily obfuscated `.js` file as an argument.
## Associated Threat Actors
- Currently grouped under general "EtherHiding" activity. The campaign specifically targets the **hospitality sector** using booking-themed lures.
## Detection Methods
- **Behavioral Detection:** Monitor for PowerShell processes executing commands containing `BigInt`, `-band`, and `-shr` bitwise operations.
- **Process Monitoring:** Alert on the execution of `node.exe` from unconventional directories like `%AppData%` or `%LocalAppData%`, especially when initiated by PowerShell.
- **Network Analysis:** Detect traffic to known TON blockchain gateways used for C2 retrieval.
## Mitigation Strategies
- **Prevention:** Block ZIP and LNK file attachments at the email gateway.
- **Application Whitelisting:** Restrict the execution of Node.js or other scripting interpreters to authorized users/directories only.
- **User Training:** Educate staff in the hospitality sector to be wary of Google Share links and booking-related urgent requests.
- **Hardening:** Disable PowerShell or restrict it to "Constrained Language Mode" for non-administrative users.
## Related Tools/Techniques
- **EtherHiding:** Originally observed using the Binance Smart Chain (BSC), now adapted for the TON blockchain.
- **ClickFix:** The social engineering tactic used to trick victims into downloading the malicious archive.