Tuesday, June 25, 2024

Developers Beware Of Malicious npm Package Delivers Sophisticated RAT

Hackers have multiple reasons for abusing malicious npm packages, as they can first use popular open-source libraries as a medium for distributing malware or backdoors without the users’ knowledge.

Secondly, allow threat actors to penetrate into developers’ and agencies’ networks and systems who are using these infected packs.

As they could take away confidential information, launch supply chain attacks, or even use those accounts to mine cryptocurrencies. In general, exploiting npm packages is an effective and confidential method of attack for hackers.

Cybersecurity researchers at Phylum recently warned developers about malicious npm packages that deliver sophisticated RAT.

Technical Analysis

Phylum’s automated risk platform recently detected a suspicious npm package named glup-debugger-log which has obfuscated files that act as a dropper and provide remote access.

Some obfuscated files were found in package.json that were executed via build and test scripts.

The entry point for the malicious code was identified to be the bind() method from an obfuscated play.js file after deobfuscating it.

Function bind() exports code that produces a random number and then asynchronously executes start() and share().

Start() gets some configuration information which includes hard-coded empty strings for keys “p” and “pv”.

It then makes environment verifications through the use of checkEnv function to decide whether or not the malware should be sent out.

These checks consist of network interface verification, Windows OS check, and ensuring the developer’s desktop folder has at least 7 programs, most likely directed at active developers’ machines.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

If all of these tests are successful, the code will attempt to run the command locally, or download and run a remote payload and maintain a background script that provides remote access.

The code does extra checks compared to the initial environment checks. The code can be defined as a “match” key that can target specific machines through either MAC addresses or IPs.

It permits only Windows systems and must have at least 7 things in the user’s Desktop folder, indicating probably that it is an active developer machine.

After a successful checkup, it runs a command locally by means of decoding an already hardcoded Base64 string to “cmd.exe” or “downloads” a remote payload from the URL given.

Moreover, even after the main process exits, it runs another separate script that remains persistent for further malicious activities.

The attacker seems to be interested in developers’ systems for compromise in this way.

The hidden play-share.js sets up an HTTP server on port 3004. Sending a query with “cmd” through this means the attacker can command execution on the compromised system.

It uses child_process to execute the specified command and then returns the output of that command.

Alongside the main dropper, it makes it possible to have remote code execution since it is simple but powerful enough to make something of a crude RAT.

While written in JavaScript, some modularity, stealth, environment targeting, and obfuscation techniques are used.

This shows how attackers evolve malware development in open-source ecosystems.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo 


Latest articles

Hackers Attacking Windows IIS Server to Upload Web Shells

Windows IIS Servers often host critical web applications and services that provide a gateway...

WikiLeaks Founder Julian Assange Released in Stunning Deal with U.S.

WikiLeaks founder Julian Assange has been released from prison after reaching a deal with...

Four Members of FIN9 Hackers Charged for Attacking U.S. Companies

Four Vietnamese nationals have been charged for their involvement in a series of computer...

BREAKING: NHS England’s Synnovis Hit by Massive Cyber Attack

In a shocking development, the NHS has revealed that it was the victim of...

Threat Actor Claiming a 0-day in Linux LPE Via GRUB bootloader

A new threat actor has emerged, claiming a zero-day vulnerability in the Linux GRUB...

LockBit Ransomware Group Claims Hack of US Federal Reserve

The notorious LockBit ransomware group has claimed responsibility for hacking the U.S. Federal Reserve,...

Microsoft Power BI Vulnerability Let Attackers Access Organizations Sensitive Data

A vulnerability in Microsoft Power BI allows unauthorized users to access sensitive data underlying...
Tushar Subhra Dutta
Tushar Subhra Dutta
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles