SOC Prime Bias: High

17 Jun 2026 13:09 UTC

Inside a Deno-Based Proxy and RAT

Author Photo
SOC Prime Team linkedin icon Follow
Inside a Deno-Based Proxy and RAT
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

An attacker deployed a modular Remote Access Trojan (RAT) and proxy framework leveraging the Deno JavaScript runtime. The attack utilized mailbombing and Microsoft Teams impersonation to facilitate the download of a malicious archive. The implant operates via multiple modular JavaScript files that use specific Deno permission flags to perform C2 communication, local command execution, and network pivoting.

Investigation

The investigation revealed an initial access phase consisting of email flooding and social engineering via Microsoft Teams. The malware was identified as a non-traditional, modular Deno-based system split into four scripts: app.js, back.js, helper.js, and webui.js. Detection occurred during post-exploitation reconnaissance activities rather than the initial execution.

Mitigation

Organizations should monitor for the execution of scripting runtimes like Deno from user-writable directories and alert on suspicious permission flags such as –allow-run or –allow-net. Implementing monitoring for local loopback HTTP services and correlation of Teams impersonation alerts with email anomalies is recommended. Additionally, restricting the ability to run unsigned or unapproved runtimes can reduce the attack surface.

Response

Upon detection, responders should isolate affected hosts and investigate the source of the Teams impersonation. Analysis should focus on the Deno process lineage and any local services bound to loopback ports 10021 or 10022. Reviewing Microsoft 365 Unified Audit Logs for TeamsImpersonationDetected events is critical for determining the scope of the social engineering campaign.

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary has successfully delivered a malicious Deno-based RAT to the victim’s machine via a spearphishing attachment (T1566.004). To evade traditional signature-based AV, the attacker hides the Deno binary within a deep, non-standard subdirectory of the user’s roaming profile: C:Usersuser.nameAppDataRoamingDenoJSEnv. The attacker then executes the binary using the --allow-run and --allow-net flags. This allows the JavaScript-based malware to execute arbitrary shell commands for system discovery (T1082) and communicate with an external C2 server over HTTPS (T1071.001).

  • Regression Test Script:

    # Note: This script simulates the existence of the directory and binary 
    # to trigger the rule logic. In a real test, the file must exist at the exact path.
    
    $targetDir = "C:Usersuser.nameAppDataRoamingDenoJSEnv"
    $targetExe = "$targetDirdeno.exe"
    
    # 1. Create the specific directory structure required by the detection rule
    if (!(Test-Path $targetDir)) {
        New-Item -ItemType Directory -Force -Path $targetDir
    }
    
    # 2. Create a dummy file to act as the 'deno.exe'
    # In a real simulation, this would be the actual Deno binary.
    New-Item -ItemType File -Force -Path $targetExe
    
    # 3. Execute the 'malicious' command
    # We use Start-Process to ensure it appears as a child process in Sysmon logs.
    # Since 'deno.exe' is a dummy, we will call 'cmd.exe' but masquerade the command 
    # string to match the logic, OR if testing the ACTUAL rule, ensure the binary 
    # is real and call it. For this simulation, we assume the user provides a 
    # real Deno binary at that path.
    
    Write-Host "[!] Simulating execution of $targetExe with malicious flags..."
    Start-Process -FilePath "cmd.exe" -ArgumentList "/c echo Simulation Triggering Rule..." 
    # Note: To truly trigger the rule, the actual deno.exe must be present.
    # If the rule is strictly looking for the Image path, the binary MUST be there.
    # For the sake of a functional simulation script, we call the path:
    # Start-Process -FilePath $targetExe -ArgumentList "--allow-run --allow-net"
  • Cleanup Commands:

    # Remove the simulated malicious directory and files
    Remove-Item -Path "C:Usersuser.nameAppDataRoamingDenoJSEnv" -Recurse -Force
    Write-Host "[+] Cleanup complete."