TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Malwarebytes Labs

Attackers adopt JavaScript runtime Bun to spread NWHStealer

10 hours ago · Read original ↗

ATT&CK techniques detected

9 predictions
T1497.001System Checks
99%
“are different controls related to cpu numbers, disk space, screen resolution, usb devices, hardware manufacturers and products, number of installed software, presence of specific folders such as browser folders, number of running processes and username. a scoring system is implem…”
T1053.005Scheduled Task
95%
“##ers, and, more recently, javascript loaders built with the bun runtime. it is often hosted on legitimate platforms such as github, gitlab, mediafire, itch. io, and sourceforge, which helps it blend in with normal software and increases the chances of users downloading it. attac…”
T1204.002Malicious File
94%
“attackers adopt javascript runtime bun to spread nwhstealer in our previous research, we analyzed a windows infostealer we track as nwhstealer. the attackers behind this stealer are continuously finding new methods to distribute the stealer. during our hunting activities, we noti…”
T1071.001Web Protocols
88%
“iocs ) domains whale - ether [. ] pro : nwh stealer c2 server cosmic - nebula [. ] cc : nwh stealer c2 server silent - harvester [. ] cc : bun loader c2 server silent - orbit [. ] cc : bun loader c2 server support - onion [. ] club : bun loader c2 server hash d3a896f450561b2546b4…”
T1055.001Dynamic-link Library Injection
74%
“public ip obtained with a request to api. ipify. org. system information anti - vm result base - 64 encoded screenshot timestamp then it makes two get http requests : https : / / c2 - server / api / status? v = { build _ id }, to obtain the seed used for aes key derivation. https…”
T1204.002Malicious File
73%
“recent campaigns include : game - related software and cheats such as : mouse _ pi _ trainer _ v1. 0. zip fivem mod. zip vampirecrawlers _ trainer _ v1. 0. zip magicalprincess _ trainer _ v1. 0. zip terratechlegion _ trainer _ v1. 0. zip other software such as : tradingview - act…”
T1204.002Malicious File
53%
“of newer tools like bun shows how they try to stay ahead of detection. nwhstealer is particularly concerning because of how widely it is distributed, and the types of data it targets. stolen browser data, saved passwords, and cryptocurrency wallet information can quickly lead to …”
T1497.001System Checks
49%
“: qemu, seabios, bochs, vbox, vmware, virtualbox, kvm, xen, parallels, virtio, vmbus, red hat, edk ii username sandbox : sandbox, malware, virus, sample, vmuser, wdagutilityaccount, defaultuser0 mac associated with virtual environments the strings are decrypted using xor and base…”
T1204.002Malicious File
30%
“##ers, and, more recently, javascript loaders built with the bun runtime. it is often hosted on legitimate platforms such as github, gitlab, mediafire, itch. io, and sourceforge, which helps it blend in with normal software and increases the chances of users downloading it. attac…”

Summary

A legitimate developer tool is being repurposed by attackers to package and spread this Windows infostealer in harder-to-detect ways.