Fakeium: A Dynamic Execution Environment for JavaScript Program Analysis

TL;DR

Fakeium is a lightweight, efficient JavaScript execution environment built on V8 that enhances dynamic analysis capabilities, especially for obfuscated malicious scripts, with minimal overhead and high customizability.

Contribution

It introduces Fakeium, a novel, open-source dynamic analysis environment that overcomes static analysis limitations and enables large-scale, resource-efficient JavaScript program analysis.

Findings

Fakeium detects hidden API calls in obfuscated scripts.

It has negligible execution overhead for large-scale analysis.

Supports hooks for advanced analysis scenarios.

Abstract

The JavaScript programming language, which began as a simple scripting language for the Web, has become ubiquitous, spanning desktop, mobile, and server applications. This increase in usage has made JavaScript an attractive target for nefarious actors, resulting in the proliferation of malicious browser extensions that steal user information and supply chain attacks that target the official Node.js package registry. To combat these threats, researchers have developed specialized tools and frameworks for analyzing the behavior of JavaScript programs to detect malicious patterns. Static analysis tools typically struggle with the highly dynamic nature of the language and fail to process obfuscated sources, while dynamic analysis pipelines take several minutes to run and require more resources per program, making them unfeasible for large-scale analyses. In this paper, we present Fakeium, a novel, open source, and lightweight execution environment designed for efficient, large-scale dynamic analysis of JavaScript programs. Built on top of the popular V8 engine, Fakeium complements traditional static analysis by providing additional API calls and string literals that would otherwise go unnoticed without the need for resource-intensive instrumented browsers or synthetic user input. Besides its negligible execution overhead, our tool is highly customizable and supports hooks for advanced analysis scenarios such as network traffic emulation. Fakeium's flexibility and ability to detect hidden API calls, especially in obfuscated sources, highlights its potential as a valuable tool for security analysts to detect malicious behavior.