[HN Gopher] First Node.js-Based Ransomware: Nodera ___________________________________________________________________ First Node.js-Based Ransomware: Nodera Author : el_duderino Score : 43 points Date : 2020-01-22 17:27 UTC (5 hours ago) (HTM) web link (blogs.quickheal.com) (TXT) w3m dump (blogs.quickheal.com) | asdfasgasdgasdg wrote: | One of these modules' owners should update their modules to check | if they are running as part of the ransomware, and kill the | program if so. That would certainly be an interesting turn of | events. | jlv2 wrote: | "The sample received in our lab was vbs script which has multiple | embedded js scripts. On execution, it creates a directory | "GFp0JAk" at location "%userprofile%\AppData\Local\"." | | Why is this even possible? | carlmr wrote: | Can't everybody write to their own user's AppData folder? | penagwin wrote: | If applications can't write to the Application Data folder then | what's the point of an application data folder? | | > Why is this even possible? | | Well they said "on execution" so that's what made it possible. | Now if it could install to that location without being | explicitly executed (say on download or via a browser bug) then | THAT would be a much bigger deal. | duxup wrote: | So as I read it this is ransomware that was built using nodejs... | not a compromised npm package or anything like that. Is that | right? | grammarxcore wrote: | That's what I took away from the article as well. It's | installed via a VBScript file. | | Edit: I'm also not able to find any other record of it (yet). | Everything links to the OP link or analysis on the OP link. | fludlight wrote: | Most languages, distros, large applications, etc have their own | packaging system. Some are more laissez-faire than others. | | Does someone know a good article from the POV of the maintainer | of a packaging system ecosystem that describes the tradeoffs made | by different approaches over the past ~30 years? | asdfasgasdgasdg wrote: | To be clear, as far as I can tell, the ransomware is built | _using_ nodejs. It is not a ransomware that 's installed via a | compromised package. Although if you happen to be a bad guy, it | seems like building a quality bitcoin-related package, waiting | until you have a big installed base, and then owning all your | users, might be an effective way to set yourself up for life. | carlmr wrote: | I thought Bitcoin can't effectively be mined on CPUs anymore, | only some AltCoins that are too difficult to compute with | ASICs | asdfasgasdgasdg wrote: | I'm not talking about a miner. I'm talking about a wallet | or some utility module. You'd wait until you have a big | installed base then change your module to silently steal | coinbase credentials. Wait a few weeks until you have | enough of them and then own all the accounts at once. | Something like that. The Bitcoin aspect of the module is | just to target effectively. | Wowfunhappy wrote: | Well, yes, but "effective" is context-dependent. | | If you have a million computers mining for you, and you're | not paying their electricity, it doesn't really matter how | individually efficient they are. | hiccuphippo wrote: | There was a few articles about go's search for a new package | system from 2018. | | Edit: See https://blog.golang.org/versioning-proposal and | related articles at the bottom. | robertkrahn01 wrote: | Site is currently down; | https://web.archive.org/web/20200122181519/https://blogs.qui... | | The article mentions the ransom message with the date March 1 | 2018. This probably means this malware is two years old? | grammarxcore wrote: | > This ransomware seems to be in development phase and has some | flaws as mentioned below: | | > ... | | > Hard code destruction time of Private Key "March 1 2018". | | Quite possibly. I'm not sure what that language means and they | don't provide more analysis of the HTML page that comes from. | If it's in development maybe some dude has been sitting on this | idea for a few years and their virus scanner just picked it up | recently. | ecmascript wrote: | Ironically, the archive link you provided also doesn't load for | me. | msla wrote: | If it's just a blank screen, it's a longstanding issue nobody | seems to acknowledge: | | https://news.ycombinator.com/item?id=21765389 | | > There's a problem with the Wayback Machine in specific | which can kill your ability to access it quite silently, | unless you know how to use the browser's development tools | and interpret headers. | | > It has to do with cookies: Somehow, the Wayback Machine | sets cookies... and sets cookies... and keeps setting | cookies, until it overflows its own ability to _accept_ | cookies. At that point, your browser tries to access a | Wayback Machine page, handing the server all of the cookies | it currently has, and the server refuses to deal. It | absolutely denies everything, sending an error header and a | blank page. You have to clear all web.archive.org cookies to | get anything at all, at which point it works perfectly. | | > I've completely solved this problem by blacklisting | web.archive.org in browser cookie blacklists. I haven't had | it happen since then. As far as I'm concerned, the problem is | diagnosed and just needs to be solved. At _their_ end. | [deleted] ___________________________________________________________________ (page generated 2020-01-22 23:01 UTC)