Malicious kits uploaded to the npm registry have been found to deploy sophisticated remote access Trojans on infected Windows computers.
The package, titled “os compatible”, was released on January 9, 2024, and attracted a total of 380 downloads before being deleted.
According to software supply chain security company Phylum, oscompatible contains “some strange binaries,” including an executable file, a dynamic link library (DLL) and an encrypted DAT file, as well as a JavaScript file.
This JavaScript file (“index.js”) executes the “autorun.bat” batch script, but only after performing a compatibility check to determine if the target computer is running on Microsoft Windows.
If the platform is not Windows, it will display an error message to users stating that the script is running on Linux or an unrecognized operating system, urging them to run it on “Windows Server OS”.
The batch script itself verifies whether it has administrator rights, and if not, executes a legitimate Microsoft Edge component named “cookie_exporter.exe” through a PowerShell command.
Attempting to execute the binary will trigger a User Account Control (UAC) prompt, requiring the target to execute it using administrator credentials.
During this process, the threat actors leveraged a technique called DLL search order hijacking to execute a DLL (“msedge.dll”) to perform the next stage of the attack.
The Trojan version of this library is designed to decrypt a DAT archive (“msedge.dat”) and launch another DLL named “msedgedat.dll”, which in turn establishes a connection to an attacker-controlled domain named “kdark1″[.]com” to retrieve the ZIP archive.
The ZIP file comes with the AnyDesk remote desktop software and a remote access Trojan (“verify.dll”), which can obtain instructions from the command and control (C2) server through WebSockets and collect sensitive information from the host.
It also “installs Chrome extensions to security preferences, configures AnyDesk, hides the screen and disables shutting down Windows. [and] Capture keyboard and mouse events,” said Phylum.
While “OS Compatible” appears to be the only npm module used in the campaign, this development is yet another sign that threat actors are increasingly targeting the open source software (OSS) ecosystem for supply chain attacks.
“From a binary perspective, the process of decrypting data, signing with revoked credentials, extracting additional files from remote sources, and trying to disguise itself as a standard Windows update process is relatively complex compared to what we typically see in the OSS ecosystem. system,” the company said.
Cloud security company Aqua revealed that 21.2% of the 50,000 most downloaded npm packages have been deprecated, exposing users to security risks. In other words, deprecated packages are downloaded an estimated 2.1 billion times per week.
This includes archived and deleted GitHub repositories associated with the suite, as well as repositories maintained without visible repositories, commit history, and issue tracking.
“This situation becomes critical when, instead of addressing a security flaw through a patch or CVE assignment, maintainers choose to deprecate the affected packages,” said security researchers Ilay Goldman and Yakir Kadkoda.
“What is particularly concerning is that sometimes these maintainers do not officially mark packages as deprecated on npm, leaving security holes open to users who may remain unaware of potential threats.”
