Beware of Fake Online Speedtest Application With Obfuscated JS Codes

A sophisticated malware campaign has emerged that leverages fake online speed test applications to deploy obfuscated JavaScript payloads on Windows systems.

These malicious utilities masquerade as legitimate network speed testing tools, manual readers, PDF utilities, and various search frontends to deceive unsuspecting users into installing dangerous code that operates covertly in the background.

The attack begins when users download what appears to be a functional speed testing application from compromised or malicious domains such as onlinespeedtestservice[.]com.

Upon installation, the application delivers its advertised functionality, creating a false sense of security while simultaneously deploying a hidden Node.js runtime environment alongside heavily obfuscated JavaScript files.

The visible executable performs as expected, maintaining the user’s trust while the malicious components establish themselves within the system.

Security Magic analysts identified that these applications are packaged using Inno-Packer installers, which bundle legitimate functionality with malicious components including a portable Node runtime, scheduled task configurations, and obfuscated JavaScript payloads that serve no purpose for the application’s primary function.

The malware operates independently from the main executable, significantly expanding the attack surface and providing threat actors with persistent access to compromised systems.

The infection establishes persistence through scheduled tasks that execute the malicious JavaScript payload approximately every 12 hours.

This JavaScript component maintains encrypted communications with command and control servers, specifically cloud.appusagestats.com, and possesses the capability to execute arbitrary code delivered by remote servers.

The malware queries system information including the Windows registry key HKLM\Software\Microsoft\Cryptography\MachineGuid to gather machine identification data for transmission to attackers.

Advanced Obfuscation and Command Execution Mechanisms

The JavaScript payload employs sophisticated obfuscation techniques that conceal its true purpose from security analysis.

Researchers discovered that the obfuscated code contains encoded strings that can be decoded by patching the return statement of the decode function.

When decoded, the JavaScript reveals its communication protocol with the command and control infrastructure. The malware transmits JSON-formatted data containing version information, system identifiers, and capability flags.

Analysis of network communications shows the payload can receive and execute PowerShell commands, with researchers observing test executions that displayed message boxes through Windows Forms assemblies.

The command execution mechanism utilizes Node.js child_process modules to spawn system processes, enabling arbitrary code execution with user privileges while maintaining stealth through hidden window modes and no-profile PowerShell executions.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.