Node Malware

Node.js is commonly used to deploy stealers on devices. Often, these incidents include WebView2 applications bundled into InnoSetup installers. These installers use custom scheduled task XML configurations to deploy tasks that run malcious Node.js scripts on the host device. Also referred to as EvilAI - TrendMicro

The linked article does a great job of breaking these down. They’re essentially .net assemblies that use WebView2 and AI-generated “web applications” (read vibe-coded html pages). These applications are bundled into an InnoSetup installer with node and a malicious script. When the installer runs, it sets up a scheduled task to execute the node script. The user only sees the intended “legitimate” AI web app get installed.

I did some analysis on a couple of these, but honestly, they aren’t worth posting about. If you want to see analysis, check out Luke Acha’s posts about it. All the EvilAI samples are essentially the same, with different vibe-coded apps.

Hunting Query

This was adapted to be more language agnostic. Basically, all observed node exeutions followed the pattern on C:\Users<users>\AppData\Local\Programs<sample>\node.exe -> C:\Users<users>\AppData\Local\Programs<sample><script>.js.

Command Line="*AppData\Local\Programs*node.exe*AppData\Local\Programs*.js*" | table([time, Computer, Event, User, File Path, File Name, Command Line, SHA256], limit=20000)

This query finds all command line fields that match node.exe executions targeting scripts in AppData\Local\Programs.

Removal Script

$ErrorActionPreference = "SilentlyContinue"
$files = @("AllManualsReader","ManualReaderPro","ClassicSudoku","OpenMyManual","TotalUserManuals","JustAskJacky","ManualsHQ")
$users = (Get-item C:\Users\*).Name
foreach($user in $users){
    $path = "C:\Users\$user\Downloads"
    $apppath = "C:\Users\$user\AppData\Local\Programs"
    if((Test-Path $path) -And (Test-Path $apppath)){
        foreach($file in $files){
            Write-Host "Removing $path\$file matches"
            Get-ChildItem $path | ? Name -match $file | Remove-Item # remove from downloads
            Write-Host "Removing $apppath\$file matches"
            Get-ChildItem $apppath | ? Name -match $file | Remove-Item -force -recurse # should delete appdata folders probably
        }
    }
}
$tasks = Get-CimInstance -Namespace Root/Microsoft/Windows/TaskScheduler -ClassName MSFT_ScheduledTask
foreach($task in $tasks){
    if($task.Actions.Arguments -match "node.exe"){
        Write-Host "Unregistering task: $($task.TaskName)"
        Unregister-ScheduledTask -TaskName $task.TaskName -Confirm:$false
    }
}

This is a simple script that finds all the related file names from the given file array. It then attempts to delete them out of the Downloads and AppData\Local\Programs directories. It will also try and find the scheduled task that gets created. Keep in mind, this will delete all scheduled tasks that launch node. For my use, this worked fine for most infections.

Known IOCs

These are known samples that have been identified in the environment.

ManualReaderPro

OpenMyManual

TotalUserManuals

AllManualsReader

ClassicSudoku

JustAskJacky