Hackers Use TON Blockchain to Evade Malware Detection with Legitimate Software

Cybersecurity researchers have identified a malware campaign that uses the TON blockchain, legitimate software, and trusted Windows components to build a resilient command-and-control infrastructure capable of evading conventional security measures. The attackers combine blockchain technology with widely used applications to complicate malware detection and disrupt traditional takedown efforts. This campaign reflects a growing trend in which cybercriminals exploit decentralized technologies and legitimate software ecosystems to create highly resilient malware infrastructure that can withstand domain blocking and traditional security defenses.

Phishing Emails Initiate Multi-Stage Attack Chain

The attack begins with phishing emails disguised as booking-related communications. Recipients are directed to a Google Share link that redirects them to a malicious website, where they are prompted to download a ZIP archive either directly or through a ClickFix-style interface. The downloaded archive contains a malicious Windows shortcut (LNK) file disguised as an image by using an icon from the Windows shell32.dll library.

Once the shortcut file is opened, it silently executes an obfuscated PowerShell command. Instead of storing the download domain in plain text, the attackers encode the address as two large numerical values. The embedded PowerShell script reconstructs the malicious domain by performing arithmetic and bitwise operations, making the infrastructure more difficult for security tools to identify during static analysis.

The PowerShell payload then checks whether the Node.js runtime is already installed on the target device. If it is not present, the malware downloads the legitimate Windows version of Node.js from the project's official distribution infrastructure and extracts it into the user's LocalAppData directory. By relying on authentic software components rather than malicious executables alone, the attackers seek to blend their activity with legitimate application behavior and reduce the likelihood of detection.

JavaScript Payload Uses Custom Virtual Machine Interpreter

After installing or locating Node.js, the malware decrypts a JavaScript payload protected with AES-128-CBC encryption and Base64 encoding. The decrypted code is executed through the legitimate Node.js runtime, with the command-and-control configuration supplied as a runtime argument.

Researchers reported that the JavaScript implant had been heavily obfuscated and executed through a custom virtual machine interpreter rather than standard JavaScript. This technique significantly increases the complexity of malware analysis by preventing traditional signature-based security tools from easily identifying malicious code.

Blockchain-Hosted Configuration Enables C2 Updates

The attack uses the TON blockchain as a resilient command-and-control infrastructure, enabling attackers to update malicious instructions without modifying or redistributing malware already installed on compromised systems. Investigators identified several historical command-and-control domains associated with the campaign. However, the malware does not depend exclusively on fixed domains for instructions. Instead, operators can modify blockchain-hosted configuration data whenever infrastructure is blocked, allowing infected systems to retrieve updated command-and-control information without requiring the malware itself to be replaced.

The malware is capable of downloading Windows executables, PowerShell scripts, and additional JavaScript payloads. Before executing downloaded Windows programs, it verifies the Portable Executable (PE) file header, stores the file under a randomly generated name in the temporary directory, and may attempt to add the file path to Microsoft Defender's exclusion list to reduce the chances of detection during execution.

Security Teams Advised to Monitor Phishing and Unauthorized Software Installations

Researchers advised organizations to remain vigilant against phishing campaigns using travel and booking-related themes, particularly emails containing Google Share links that redirect users to suspicious downloads. They also recommended monitoring ZIP archives containing LNK shortcut files disguised as images, as well as unexpected PowerShell activity and unauthorized Node.js installations on enterprise systems.

FAQ

What is the TON blockchain used for in this malware campaign?

The TON blockchain is used as a resilient command-and-control infrastructure that enables attackers to update malicious instructions without modifying or redistributing malware already installed on compromised systems. Operators can modify blockchain-hosted configuration data whenever infrastructure is blocked, allowing infected systems to retrieve updated command-and-control information.

How does the malware disguise itself as legitimate software?

The malware downloads the legitimate Windows version of Node.js from the project's official distribution infrastructure and executes encrypted JavaScript payloads through the authentic Node.js runtime. By relying on trusted software components and Windows utilities, the attackers blend their activity with legitimate application behavior to reduce the likelihood of detection by security tools.

Disclaimer: The information on this page may come from third-party sources and is for reference only. It does not represent the views or opinions of Gate and does not constitute any financial, investment, or legal advice. Virtual asset trading involves high risk. Please do not rely solely on the information on this page when making decisions. For details, see the Disclaimer.
Comment
0/400
No comments