A newly discovered backdoor, known as DinDoor, has been identified utilizing the legitimate Deno JavaScript runtime alongside MSI installer files to evade detection and infiltrate targeted systems. This sophisticated malware, a variant of the Tsundere Botnet, employs signed runtime environments rather than traditional compiled implants, complicating detection processes in networks where Deno is either allowlisted or not closely monitored.
How DinDoor Infiltrates Systems
DinDoor is primarily distributed via phishing emails or malicious drive-by downloads masquerading as MSI files. Upon execution, these files download the Deno runtime from its official endpoint, dl.deno[.]land, circumventing the need for administrative privileges. Subsequently, the malware executes obfuscated JavaScript to gather system information, establish contact with its command-and-control (C2) infrastructure, and download further payloads.
Research conducted by Hunt.io, which analyzed samples uploaded to public databases, indicated significant behavioral variances between the DinDoor variants, despite their shared execution model. Their investigation uncovered that a solitary HuntSQL query focused on DinDoor’s HTTP response identified 20 active C2 servers dispersed across 15 autonomous systems at the time of their report.
Connections to Broader Threat Networks
Further analysis linked DinDoor’s activities to the Iranian APT group Seedworm, also recognized as MuddyWater, which has a history of targeting U.S. organizations. The malware’s association with a larger threat framework is alarming, with the C2 domain serialmenot[.]com being used by various ransomware operators and state-sponsored entities. Research from JUMPSEC correlated this domain with TAG-150, a group deploying it as a backend for a malware family named CastleLoader, with which DinDoor exhibits behavioral similarities.
Understanding DinDoor’s execution chain reveals its deliberate design to evade detection. One sample, migcredit.pdf.msi, uses msiexec.exe to drop a PowerShell script, launching it with hidden window flags and bypassing execution policy enforcement. The script checks for the presence of deno.exe, installing it if necessary, and decodes a base64-encoded JavaScript payload for execution.
Security Recommendations and Future Outlook
Security professionals are advised to consider any unexpected execution of deno.exe as a child of powershell.exe or wscript.exe as a high-priority alert. Organizations should restrict MSI execution using AppLocker or Windows Defender Application Control to mitigate DinDoor’s primary delivery vector. Monitoring command-line patterns like deno.exe -A data:application/javascript;base64 and TCP binds on specific localhost ports can aid in detecting infections.
To bolster defenses, network defenders should review HTTP logs for specific headers and consider blocking known malicious domains and communications with unreliable hosting providers. As the cybersecurity landscape evolves, staying vigilant and implementing proactive measures is crucial in safeguarding against emerging threats like DinDoor.
