Inside a Deno-Based Proxy and RAT

SOC Prime Team

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

An attacker deployed a modular Remote Access Trojan (RAT) and proxy framework leveraging the Deno JavaScript runtime. The attack utilized mailbombing and Microsoft Teams impersonation to facilitate the download of a malicious archive. The implant operates via multiple modular JavaScript files that use specific Deno permission flags to perform C2 communication, local command execution, and network pivoting.

Investigation

The investigation revealed an initial access phase consisting of email flooding and social engineering via Microsoft Teams. The malware was identified as a non-traditional, modular Deno-based system split into four scripts: app.js, back.js, helper.js, and webui.js. Detection occurred during post-exploitation reconnaissance activities rather than the initial execution.

Mitigation

Organizations should monitor for the execution of scripting runtimes like Deno from user-writable directories and alert on suspicious permission flags such as –allow-run or –allow-net. Implementing monitoring for local loopback HTTP services and correlation of Teams impersonation alerts with email anomalies is recommended. Additionally, restricting the ability to run unsigned or unapproved runtimes can reduce the attack surface.

Response

Upon detection, responders should isolate affected hosts and investigate the source of the Teams impersonation. Analysis should focus on the Deno process lineage and any local services bound to loopback ports 10021 or 10022. Reviewing Microsoft 365 Unified Audit Logs for TeamsImpersonationDetected events is critical for determining the scope of the social engineering campaign.

graph TB %% Class Definitions Section classDef action fill:#99ccff classDef builtin fill:#cccccc classDef malware fill:#ff9999 classDef discovery fill:#ccffcc classDef command_control fill:#ffff99 %% Initial Attack Phase attack_email_bombing[“Action – T1667 Email Bombing Description: High-volume email campaign used to create user fatigue and confusion.”] class attack_email_bombing action attack_social_eng[“Action – T1684.001 Social Engineering: Impersonation Description: Pretending to be IT support via Microsoft Teams calls to build credibility.”] class attack_social_eng action attack_user_exec[“Action – T1204.002 User Execution: Malicious File Description: Victim downloads and extracts a malicious archive.”] class attack_user_exec action file_malicious_archive[“File: patch09913.b Description: Malicious archive containing the Deno-based malware framework.”] class file_malicious_archive builtin %% Malware Framework Execution malware_deno_framework[“Malware: Deno-based Framework Description: Modular malware using app.js as an orchestrator.”] class malware_deno_framework malware module_app_js[“Module: app.js Description: Orchestrator using JavaScript to launch specialized modules.”] class module_app_js malware action_js_interpreter[“Action – T1059.007 Command and Scripting Interpreter: JavaScript Description: Used by app.js to launch modules.”] class action_js_interpreter action action_hide_artifacts[“Action – T1564.011 Hide Artifacts: Ignore Process Interrupts Description: Uses conhost.exe –headless to suppress console windows.”] class action_hide_artifacts action %% Persistence Phase module_back_js[“Module: back.js Description: Handles persistence and C2.”] class module_back_js malware action_persistence[“Action – T1037.004 Boot or Logon Initialization Scripts: RC Scripts Description: Modifies Windows Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run.”] class action_persistence action %% Discovery Phase module_helper_js[“Module: helper.js Description: Performs system enumeration.”] class module_helper_js malware action_process_discovery[“Action – T1057 Process Discovery Description: Executes tasklist to find running processes.”] class action_process_discovery discovery action_sys_info_discovery[“Action – T1082 System Information Discovery Description: Executes ipconfig /all and set to gather network and environment details.”] class action_sys_info_discovery discovery %% C2 and Pivoting Phase action_c2_protocol[“Action – T1071.001 Application Layer Protocol: Web Protocols Description: Maintains a persistent WebSocket connection to a CloudFront C2 endpoint.”] class action_c2_protocol command_control module_webui_js[“Module: webui.js Description: Facilitates internal network movement.”] class module_webui_js malware action_proxy_pivoting[“Action – T1090 Proxy (Internal Pivoting) Description: Acts as an access broker to route TCP traffic into the internal network.”] class action_proxy_pivoting command_control %% Connections attack_email_bombing –>|creates confusion for| attack_social_eng attack_social_eng –>|leads to| attack_user_exec attack_user_exec –>|involves| file_malicious_archive file_malicious_archive –>|executes| malware_deno_framework malware_deno_framework –>|orchestrated by| module_app_js module_app_js –>|uses| action_js_interpreter module_app_js –>|implements| action_hide_artifacts module_app_js –>|launches| module_back_js module_app_js –>|launches| module_helper_js module_app_js –>|launches| module_webui_js module_back_js –>|performs| action_persistence module_back_js –>|establishes| action_c2_protocol module_helper_js –>|performs| action_process_discovery module_helper_js –>|performs| action_sys_info_discovery module_webui_js –>|performs| action_proxy_pivoting

Attack Flow

Attack Narrative & Commands: The adversary has successfully delivered a malicious Deno-based RAT to the victim’s machine via a spearphishing attachment (T1566.004). To evade traditional signature-based AV, the attacker hides the Deno binary within a deep, non-standard subdirectory of the user’s roaming profile: C:Usersuser.nameAppDataRoamingDenoJSEnv. The attacker then executes the binary using the --allow-run and --allow-net flags. This allows the JavaScript-based malware to execute arbitrary shell commands for system discovery (T1082) and communicate with an external C2 server over HTTPS (T1071.001).

Regression Test Script:

# Note: This script simulates the existence of the directory and binary 
# to trigger the rule logic. In a real test, the file must exist at the exact path.

$targetDir = "C:Usersuser.nameAppDataRoamingDenoJSEnv"
$targetExe = "$targetDirdeno.exe"

# 1. Create the specific directory structure required by the detection rule
if (!(Test-Path $targetDir)) {
    New-Item -ItemType Directory -Force -Path $targetDir
}

# 2. Create a dummy file to act as the 'deno.exe'
# In a real simulation, this would be the actual Deno binary.
New-Item -ItemType File -Force -Path $targetExe

# 3. Execute the 'malicious' command
# We use Start-Process to ensure it appears as a child process in Sysmon logs.
# Since 'deno.exe' is a dummy, we will call 'cmd.exe' but masquerade the command 
# string to match the logic, OR if testing the ACTUAL rule, ensure the binary 
# is real and call it. For this simulation, we assume the user provides a 
# real Deno binary at that path.

Write-Host "[!] Simulating execution of $targetExe with malicious flags..."
Start-Process -FilePath "cmd.exe" -ArgumentList "/c echo Simulation Triggering Rule..." 
# Note: To truly trigger the rule, the actual deno.exe must be present.
# If the rule is strictly looking for the Image path, the binary MUST be there.
# For the sake of a functional simulation script, we call the path:
# Start-Process -FilePath $targetExe -ArgumentList "--allow-run --allow-net"

Cleanup Commands:

# Remove the simulated malicious directory and files
Remove-Item -Path "C:Usersuser.nameAppDataRoamingDenoJSEnv" -Recurse -Force
Write-Host "[+] Cleanup complete."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free