AST-Based Detection of JavaScript Malware Families

Background

While researching GOOTLOADER, I came across an excellent project by Karsten Hahn:
👉 https://github.com/struppigel/hedgehog-tools/tree/main/gootloader
This tool unpacks and extracts C2 infrastructure from GOOTLOADER samples.

At the same time, I was also analyzing other JavaScript-based malware families, including BALADA Injector and Parrot TDS / SocGholish. For dealing with their heavily obfuscated JavaScript payloads, I relied on the powerful deobfuscation tool WebCrack:
👉 https://github.com/j4k0xb/webcrack

This led me to the idea of combining both approaches—detection and deobfuscation—into a single pipeline. The resulting script accepts a JavaScript file, detects the malware family based on Abstract Syntax Tree (AST) patterns, and then applies a family-specific deobfuscation and IOC extraction routine.

Detection Rules

Detection is performed by parsing the input JavaScript into an AST and evaluating against known structural signatures observed in real-world samples. Below are the heuristics used to differentiate malware families.

Gootloader

Identified by the structure of the top-level function declaration:

Root node contains:
- A single argument.
- Argument is of type NumericLiteral.
The function name:
- Has a length ≤ 10 characters.
- Does not contain underscores.

ParrotTDS / SocGholish

Characterized by anti-analysis checks involving typeof and undefined comparisons:

Contains an IfStatement with:
- A strict equality comparison (===).
- Expressions such as:
  - Left-hand side: typeof ndsj or typeof ndsw; Right-hand side: string "undefined".
  - Left-hand side: identifier ndsj or ndsw; Right-hand side: identifier undefined.

Balada injector

Detected through event hooking behavior:

Presence of a CallExpression with:
- Callee name: sgAddEvent
- Arguments:
  1. "window" (string literal)
  2. "sgpbWillOpen" (string literal)
  3. A FunctionExpression type

Evaluation & Results

To validate the approach, I gathered a dataset of confirmed samples for each family from VirusTotal and ran them through the detection and extraction script.

GOOTLOADER Detection Output

gootloader_scn

ParrotTDS / SocGholish Detection Output

parrottds_scn

BALADA Injector Detection Output

balada_scn

Conclusion

This proof-of-concept demonstrates the viability of AST-based heuristics in detecting and triaging obfuscated JavaScript malware. The next steps include expanding detection rules for other families and integrating IOC enrichment from deobfuscated payloads.

Feel free to explore the tools that inspired this project:

Malware Analysis

My attempt at blogging about my experiences in malware analysis