Node.js has become a staple in the malware development toolkit of crimeware authors: It is easy to develop, trivial to obfuscate and difficult to analyze, with a rich ecosystem of open-source tools such as packers and obfuscators available to threat actors.

This talk introduces a purpose-built, open-source Node.js Tracer designed to cut through the noise by instrumenting the runtime rather than having to deal with tedious manual source code deobfuscation, ultimately saving precious time for analysts and incident responders. After an overview on different forms of Node.js malware observable in the wild, the talk reconstructs a malware research that sparked the tool's development, outlines the mechanics of tracing as a dynamic reverse-engineering method, and demonstrates how runtime hooking exposes the malware's real behavior.

Attendees will see, using case studies of several real cases, how the utility neutralizes anti-analysis checks, bypasses obfuscation and speeds up the analysis process - the result is a practical workflow for reverse engineers, malware analysts and incident response teams facing increasingly obfuscated JavaScript-based malware families.