🎯Basically, DinDoor is a sneaky malware that uses trusted software to hide from security tools.
What Happened
A newly discovered backdoor named DinDoor is leveraging the legitimate Deno JavaScript runtime and Microsoft Installer (MSI) files to infiltrate systems undetected. This malware variant is associated with the Tsundere Botnet and is designed to evade traditional security measures by using trusted environments.
How It Works
DinDoor is delivered to victims primarily through phishing emails or malicious downloads disguised as MSI files. When executed, it downloads the Deno runtime from the official endpoint, allowing it to run without requiring administrator privileges. The malware then executes obfuscated JavaScript to gather information about the victim's machine and communicate with its command-and-control (C2) servers.
Who's Being Targeted
The malware has been linked to the Iranian APT group Seedworm, also known as MuddyWater, which has a history of targeting organizations in the United States. The stealthy nature of DinDoor makes it particularly dangerous, as it can easily slip through defenses in environments where Deno is already allowlisted.
Signs of Infection
Indicators of compromise include unexpected instances of deno.exe running as a child process of powershell.exe or wscript.exe. Security teams should be vigilant for any unusual command-line patterns and TCP bindings on localhost.
How to Protect Yourself
Organizations should restrict MSI execution through AppLocker or Windows Defender Application Control. Monitoring HTTP logs for suspicious headers and blocking known malicious domains can also help mitigate risks. Any unexpected execution of deno.exe should be treated as a high-priority alert.
Technical Details
DinDoor operates by executing a PowerShell script that installs Deno if it is not already present. The malware then runs its payload entirely in memory, making it difficult to detect through traditional means. The malware binds a TCP listener on localhost to prevent re-infection, and it builds a unique fingerprint for each victim, which is sent with every C2 request.
Conclusion
The emergence of DinDoor highlights the ongoing challenges in cybersecurity, especially as threat actors continue to innovate and exploit legitimate software to bypass defenses. Organizations must adopt proactive measures to protect against such stealthy threats and ensure their security protocols are robust enough to detect and respond to these evolving tactics.
🔒 Pro insight: DinDoor's use of legitimate runtimes exemplifies a growing trend in malware evasion tactics, necessitating enhanced scrutiny of trusted environments.
