Cybersecurity researchers have flagged malicious Packagist PHP packages masquerading as Laravel utilities that act as a conduit for a cross-platform remote access trojan (RAT) that’s functional on Windows, macOS, and Linux systems.
The names of the packages are listed below –
- nhattuanbl/lara-helper (37 Downloads)
- nhattuanbl/simple-queue (29 Downloads)
- nhattuanbl/lara-swagger (49 Downloads)
According to Socket, the package “nhattuanbl/lara-swagger” does not directly embed malicious code, lists “nhattuanbl/lara-helper” as a Composer dependency, causing it to install the RAT. The packages are still available for download from the PHP package registry.
Both lara-helper and simple-queue have been found to contain a PHP file named “src/helper.php,” which employs a number of tricks to complicate static analysis by making use of techniques like control flow obfuscation, encoding domain names, command names, and file paths, and randomized identifiers for variable and function names.Â
“Once loaded, the payload connects to a C2 server at helper.leuleu[.]net:2096, sends system reconnaissance data, and waits for commands — giving the operator full remote access to the host,” security researcher Kush Pandya said.
This includes sending system information and parsing commands received from the C2 server for subsequent execution on the compromised host. The communication occurs over TCP using PHP’s stream_socket_client(). The list of supported commands is below –
- ping, to send a heartbeat automatically every 60 seconds
- info, to send system reconnaissance data to the C2 server
- cmd, to run a shell command
- powershell, to run a PowerShell command
- run, to run a shell command in the background
- screenshot, to capture the screen using imagegrabscreen()
- download, to read a file from disk
- upload, to a file on disk and grant it read, write, and execute permissions to all users
- stop, to the socket, and exit
“For shell execution, the RAT probes disable_functions and picks the first available method from: popen, proc_open, exec, shell_exec, system, passthru,” Pandya said. ‘This makes it resilient to common PHP hardening configurations.”
While the C2 server is currently non-responsive, the RAT is configured such that it retries the connection every 15 seconds in a persistent loop, making it a security risk. Users who have installed the packages are advised to assume compromise, remove them, rotate all secrets accessible from the application environment, and audit outbound traffic to the C2 server.
Besides the aforementioned three packages, the threat actor behind the operation has published three other libraries (“nhattuanbl/lara-media,” “nhattuanbl/snooze,” and “nhattuanbl/syslog”) that are clean, likely in an effort to build credibility and trick users into installing the malicious ones.
“Any Laravel application that installed lara-helper or simple-queue is running a persistent RAT….
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
