{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/deno/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Deno"],"_cs_severities":["high"],"_cs_tags":["javascript","deno","execution"],"_cs_type":"advisory","_cs_vendors":["Deno"],"content_html":"\u003cp\u003eThe Deno runtime environment, designed for JavaScript and TypeScript, can be abused by threat actors to execute malicious scripts. This detection focuses on identifying suspicious command-line arguments used with Deno, specifically those containing base64 encoding, eval, HTTP requests, or JavaScript imports. These patterns are often indicative of malicious intent, where attackers use Deno to stage or execute further attacks, download payloads, or run arbitrary code. This activity has been observed in campaigns like Clickfix and Leaknets, where Deno was used to scale their operations, as reported by Reliaquest.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through an unknown vector (e.g., compromised software, remote service exploitation).\u003c/li\u003e\n\u003cli\u003eThe attacker downloads the Deno runtime executable (\u003ccode\u003edeno.exe\u003c/code\u003e) to the compromised system.\u003c/li\u003e\n\u003cli\u003eThe attacker executes \u003ccode\u003edeno.exe\u003c/code\u003e with a command line containing suspicious patterns such as \u003ccode\u003ebase64\u003c/code\u003e, \u003ccode\u003eeval()\u003c/code\u003e, \u003ccode\u003ehttp\u003c/code\u003e, or \u003ccode\u003eimport\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Deno process interprets the malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe JavaScript code performs malicious actions, such as downloading additional payloads from remote HTTP servers.\u003c/li\u003e\n\u003cli\u003eThe downloaded payloads are executed, leading to further compromise of the system.\u003c/li\u003e\n\u003cli\u003eThe attacker establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker performs lateral movement within the network to compromise additional systems and achieve their objectives (e.g., data theft, ransomware deployment).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to arbitrary code execution, system compromise, and potentially lateral movement within the network. Depending on the malicious JavaScript's intent, the impact could range from data exfiltration to ransomware deployment. While the exact number of victims is unknown, the use of Deno in campaigns like Clickfix and Leaknets indicates the potential for widespread impact across various sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon process creation logging to monitor process execution events (Data Source: Sysmon).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect Suspicious JavaScript Execution via Deno\u0026quot; to your SIEM to identify Deno processes with suspicious command-line arguments.\u003c/li\u003e\n\u003cli\u003eImplement application control policies to restrict the execution of unauthorized software, including Deno if it is not a standard tool in your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any identified malicious domains or IPs used in the Deno command line (references).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-deno-suspicious-javascript/","summary":"This rule detects the execution of JavaScript via Deno with suspicious command-line patterns such as base64, eval, http, or javascript import, which attackers may abuse to run malicious JavaScript for execution or staging.","title":"Suspicious JavaScript Execution via Deno","url":"https://feed.craftedsignal.io/briefs/2024-01-deno-suspicious-javascript/"}],"language":"en","title":"CraftedSignal Threat Feed - Deno","version":"https://jsonfeed.org/version/1.1"}