implant.js: Building Modular Malware Using the V8 JavaScript Engine
Zander Work (captainGeech)
Modular malware has been around for years, with frameworks like Cobalt Strike and Nighthawk supporting custom user-written modules to extend their implant’s functionality. Malicious threat actors of varying motivations have adopted these techniques as well, such as the ShadowPad malware used by various Chinese espionage groups (as featured in the i-SOON leaks). Most modular frameworks require compiled, OS/architecture-specific plugin code, but some actors, like the Sandman APT group, have adopted Lua for this capability, which provides a bit more flexibility.
In this talk, I will present implant.js, a proof-of-concept modular implant framework written in C++ that uses the V8 JavaScript Engine (which powers nearly all browsers except Firefox) to provide a module execution runtime that prioritizes flexibility and usability for the operators. implant.js enables OS-agnostic modules to be written once and executed across any supported architecture and operating system without pre-compilation, while still enabling access to native code and system library functions for complex functionality.
implant.js will be publicly released as a part of this talk, and I will demonstrate how new research in offensive capabilities can be responsibly released, balancing the innovation value gained from sharing source code against the potential harm it could present.
Speaker Bio:
Zander Work (captainGeech) is a Senior Security Engineer on Mandiant’s Financial Crime team, where he reverse engineers malware, tracks malicious infrastructure, and builds automation systems. At Mandiant, he’s been the primary technical analyst for FIN7 and FIN8, and is the subject matter expert on SYSTEMBC. Besides tracking cybercrime, Zander also works on vulnerability research, exploit development, and is an avid CTF player with OSUSEC. Zander has spoken at multiple conferences on cybercrime, CTI, and vulnerability research, including SLEUTHCON and AppSec PNW. He is a graduate of the Georgetown Security Studies Program, Oregon State University, and holds multiple industry certifications, including OSCE3.
