A sophisticated new malware campaign is using fake online speed test applications to infect Windows systems. These malicious apps are disguised as legitimate network testing tools, PDF readers, and other utilities to trick users into installing dangerous code.
The attack begins when a user downloads what they believe to be a functional speed test application from a malicious website. Once installed, the application works as advertised, creating a false sense of security while a hidden Node.js environment and malicious JavaScript files are deployed in the background.
How the Malware Works
Security researchers found that the applications are packaged using Inno-Packer installers, which bundle the legitimate program with the malicious code. The malware operates independently of the main application and uses a scheduled task to execute every 12 hours.
The malicious JavaScript code communicates with a command-and-control server and can execute commands sent by the attackers. It also collects system information, including a unique machine ID, and sends it back to the attackers.
The JavaScript payload uses sophisticated obfuscation techniques to hide its true purpose. Once decoded, the code shows that it communicates with the server using JSON data, and researchers have observed it receiving and executing PowerShell commands. The malware uses Node.js modules to run the commands with user privileges while remaining hidden.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
