Cybersecurity researchers have identified an ongoing threat campaign that starts with malicious advertisements on Facebook. Attackers use either stolen or newly created accounts to post thousands of ads promoting what appear to be cryptocurrency trading applications.
When a user clicks on one of these ads, they are redirected through a series of links, eventually landing on a counterfeit website designed to look like a legitimate service, such as TradingView. These fake sites are engineered to convince unsuspecting victims to download and install the malicious applications.
A Complex Infection Process
The attack employs a sophisticated, multi-stage infection process that makes it difficult to analyze and detect. A unique feature of this campaign is that the malicious website and the downloaded installer must run simultaneously for the attack to succeed. The website contains JavaScript that communicates with the installer via a local server on the victim’s machine. This interdependency means that if either the website is closed or the installer component fails, the infection chain is broken, a design choice that complicates automated analysis by security systems. To avoid arousing suspicion, the installer even opens a legitimate version of the app’s website in a browser window.
Fingerprinting and Final Payload
Once the installer is running, it unpacks several library files and begins to gather system information, a process known as fingerprinting. This information, which includes details about the victim’s computer, is sent back to the attackers. If the attackers determine that the victim’s system is a valuable target, they proceed to the final stage of the attack. This involves using Node.js to execute the primary payload: a compiled V8 JavaScript (JSC) malware named JSCEAL.
JSCEAL Malware Capabilities
JSCEAL is a powerful and versatile piece of malware designed to give attackers comprehensive control over the infected machine. Its primary functions include stealing a wide array of data, such as browser cookies, saved passwords, Telegram account data, and cryptocurrency wallet information. The malware can also capture screenshots, log keystrokes, and intercept the victim’s web traffic. This allows it to perform adversary-in-the-middle (AitM) attacks, where it injects malicious scripts into banking and crypto websites in real-time to steal credentials as they are entered. Ultimately, it can function as a remote access trojan (RAT), granting the attacker near-total control.
The core of this campaign’s evasiveness lies in its use of compiled JavaScript (JSC) files. Compiling the JavaScript makes the code much harder for security software to inspect and analyze compared to plain text scripts. This technique, combined with heavy obfuscation and the modular, multi-layered infection flow, makes the JSCEAL malware resilient against many conventional security tools. Researchers note that this combination of sophisticated features makes analysis efforts both challenging and time-consuming, highlighting the evolving tactics of modern threat actors.
Reference:
