Developers Beware Of Malicious npm Package Delivers Sophisticated RAT

Hackers have multiple reasons for abusing malicious npm packages, as they can first use popular open-source libraries as a medium for distributing malware or backdoors without the users’ knowledge.

Secondly, allow threat actors to penetrate into developers’ and agencies’ networks and systems who are using these infected packs.

As they could take away confidential information, launch supply chain attacks, or even use those accounts to mine cryptocurrencies. In general, exploiting npm packages is an effective and confidential method of attack for hackers.

Cybersecurity researchers at Phylum recently warned developers about malicious npm packages that deliver sophisticated RAT.

Technical Analysis

Phylum’s automated risk platform recently detected a suspicious npm package named glup-debugger-log which has obfuscated files that act as a dropper and provide remote access.

Some obfuscated files were found in package.json that were executed via build and test scripts.

The entry point for the malicious code was identified to be the bind() method from an obfuscated play.js file after deobfuscating it.

Function bind() exports code that produces a random number and then asynchronously executes start() and share().

Start() gets some configuration information which includes hard-coded empty strings for keys “p” and “pv”.

It then makes environment verifications through the use of checkEnv function to decide whether or not the malware should be sent out.

These checks consist of network interface verification, Windows OS check, and ensuring the developer’s desktop folder has at least 7 programs, most likely directed at active developers’ machines.

With ANYRUN You can Analyze any URL, Files & Email for Malicious Activity : Start your Analysis

If all of these tests are successful, the code will attempt to run the command locally, or download and run a remote payload and maintain a background script that provides remote access.

The code does extra checks compared to the initial environment checks. The code can be defined as a “match” key that can target specific machines through either MAC addresses or IPs.

It permits only Windows systems and must have at least 7 things in the user’s Desktop folder, indicating probably that it is an active developer machine.

After a successful checkup, it runs a command locally by means of decoding an already hardcoded Base64 string to “cmd.exe” or “downloads” a remote payload from the URL given.

Moreover, even after the main process exits, it runs another separate script that remains persistent for further malicious activities.

The attacker seems to be interested in developers’ systems for compromise in this way.

The hidden play-share.js sets up an HTTP server on port 3004. Sending a query with “cmd” through this means the attacker can command execution on the compromised system.

It uses child_process to execute the specified command and then returns the output of that command.

Alongside the main dropper, it makes it possible to have remote code execution since it is simple but powerful enough to make something of a crude RAT.

While written in JavaScript, some modularity, stealth, environment targeting, and obfuscation techniques are used.

This shows how attackers evolve malware development in open-source ecosystems.

Looking for Full Data Breach Protection? Try Cynet's All-in-One Cybersecurity Platform for MSPs: Try Free Demo