Saturday, July 13, 2024

Malicious NPM Package Steals Chrome Browser Passwords By Abusing Legitimate Tool

Researchers uncovered a malicious NPM package that steals a Google Chrome password by abusing the legitimate password recovery tool.

NPM is the largest package manager for Node Javascript that contains nearly 1.5 million packages with more than 20 million package downloads for every month.

A Malicious NPM package was targeted the software developers by abusing the legitimate third-party tool known as ” ChromePass “, a tool to recover the password from the Chrome browser.

The author of this package goes by the name chrunlee who has actively developed nearly 61 repositories in GitHub, also the GitHub repository has been linked to the website hxxps://chrunlee(.)cn where the actors actively posting articles.

Researchers from Reversinglab found that this package has 12 published versions, in total over 1,283 downloads since the package was initally published at the end of February 2019.

NPM Package Stealing Passwords

Malicious activities from the NPM package “chrunlee ” were found during the scan of public packages, and it perfects several malicious attempts on software developers.

The NPM package contains several types of executable files (PE, ELF, MachO along with Javascript files including several versions of the nodejs_net_server package that is a primary focus in this research.

Researchers uncovered a  ChromePass utility with the name of  “a.exe” that was located inside the “lib” folder.

ChromePass tool wasn’t malicious but the attacker abusing it to perform the password-stealing and credential exfiltration as it is also can be run from the command line interface.

Functionality Improvement

There are nearly 12 versions that got published for this malicious NPM package with 1,283 downloads since 2019, when the first version of this package got published.

From the second version of this package, attackers started improving the functionality and added a remote shell adding a script to download the aforementioned password-stealing tool when the package got upgraded to version 1.1.0.

” In versions 1.1.1 and 1.1.2, this script was modified to run TeamViewer.exe instead, probably because the author didn’t want to have such an obvious connection between the malware and their website,” Researchers said.

In order to steal the credentials, attackers trick users to execute the malicious package using the typosquatting technique through which the malicious package will be installed into the victim’s system.

Once the package has been successfully installed and executed, persistence is accomplished by installing the lib/test.js script as a Windows service.

This windows service opens a port  7353 to listen to the incoming commands includes directory content listing, file lookup, file upload, shell command execution and screen, and camera recording. 

Finally, attackers execute the Shell command through the ChromePass hack-tool that was previously downloaded.

Researchers found that the  NPM download stats show that this package has been downloaded more than 35,000 times. 

Indicators of Compromise

Affected packages and SHA1:

nodejs_net_server-1.0.0: f79e03d904fafc5171392d2e54e10057780f9c25
nodejs_net_server-1.0.1: 9027433ef11506f349e9d89ec83d8050e669e3fb
nodejs_net_server-1.0.2: af2ec5a8e2a873e960f38d16e735dd9f52aa1e8b
nodejs_net_server-1.0.3: 41b56bd5b7aaf6af3b9a35a9e47771708fddc172
nodejs_net_server-1.0.4: 3128ebd6c3e89dc2b5a7ecf95967a81a4cdde335
nodejs_net_server-1.0.5: eb9cfe52e304702f1cf0fb1cc11dfc3fb1b0eab7
nodejs_net_server-1.0.6: 4b518b15db29eb9a0d8d11d1642f73e9da1275ca
nodejs_net_server-1.0.7: afe203e2d2cb295955915ba04edb079ae7697c62
nodejs_net_server-1.0.8: 6e9b1d8ce1bb49f0abc3bea62e0435912d35b458
nodejs_net_server-1.1.0: 9bf160389b0401435a2e5f8541688c1d5f877896
nodejs_net_server-1.1.1: 1be0fa1d44859e4c0bafc8317c1da1d4e897c1cc
nodejs_net_server-1.1.2: 3cb0aeed9f260d38504677c834a5878b4eb59dc2
tempdownloadtempfile-1.0.0: ffbefb79bd6b72a0e42bc04e03b9f63aa9e859e5


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles