A malicious package deal within the Node Package deal Supervisor index makes use of invisible Unicode characters to cover malicious code and Google Calendar hyperlinks to host the URL for the command-and-control location.
The package deal, named os-info-checker-es6, seems as an info utility and has been downloaded greater than 1,000 instances for the reason that starting of the month.
Researchers at Veracodea code safety evaluation firm, discovered that the primary model of the package deal was added to the Node Package deal Supervisor (NPM) index on March 19 and was benign, because it solely collected working system info from the host.
The writer added modifications just a few days later to incorporate platform-specific binaries and obfuscated set up scripts.
On Could 7, a brand new model of the package deal was printed, which featured code for “a complicated C2 (command-and-control) mechanism” that delivers the ultimate payload.
The newest model of ‘os-info-checker-es6‘ out there on npm on the time of writing is v1.0.8 and it’s malicious, Veracode warns.
Moreover, the package deal is listed as a dependency for 4 different NPM packages: skip-toe, DEV-TERVERR view, View-Dummyand ‘View-Bit – all pose as accessibility and developer platform engineering instruments.
It’s unclear if or how these packages are promoted by the risk actor.
Unicode steganography
Within the malicious model, the attacker embedded information in what seemed to be a ‘|’ string. Nonetheless, the vertical bar is adopted by a protracted sequence of invisible Unicode characters from the Variation Selectors Complement vary (U+E0100 to U+E01EF).
These Unicode characters are usually modifiers, sometimes used “to offer particular glyph variations in advanced scripts.” On this case, their position is to facilitate text-based steganography – hiding info in different information.
Veracode decoded and deobfuscated the string to discover a payload for a complicated C2 mechanism that relied on a Google Calendar brief hyperlink to achieve the situation internet hosting the ultimate payload.
The researcher clarify that after fetching the Google Calendar hyperlink, a set of redirects are checked till it receives a HTTP 200 OK response for the request.
It then scrapes a data-base-title attribute from the occasion’s HTML web page, which holds a base64-encoded URL pointing to the ultimate payload.
Utilizing a operate known as ymmogvj, the URL is decoded to get a malware payload. The researchers say that the request expects a base- encoded stage-2 malware payload within the response physique, and certain an initialization vector and a secret key within the HTTP headers – a sign of potential encryption of the ultimate payload.
Veracode additionally discovered that the payload can be executed utilizing eval(). The script features a easy persistence mechanism within the system’s short-term listing, which prevents a number of cases working on the identical time.
On the time of study, the researchers couldn’t retrieve the ultimate payload, suggesting that the marketing campaign could possibly be on maintain or nonetheless in an early stage.
Regardless of Veracode reporting its findings to NPM, the suspicious packages are nonetheless current on the platform.
Primarily based on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and how you can defend towards them.
