A malicious package was uploaded to the npm registry found to deploy a sophisticated remote access trojan on compromised machines running a Windows operating system.
The package, called “oscompatible“, was released on January 9, 2024, attracting a total of 380 downloads before it was removed.
How oscompatible works and what it is
oscompatible included “some strange binaries,” according to software supply chain security firm Phylum, including a single executable file, a dynamic link library (DLL) and an encrypted DAT file, along with a JavaScript file.
This JavaScript file (“index.js”) runs a batch script “autorun.bat”, but only after running a compatibility check to determine if the target machine uses Microsoft Windows.
If the platform is not Windows, displays an error message to the userindicating that the script runs on Linux or an unrecognized operating system, encouraging you to run it on “Windows Server OS”.
The batch script, in turn, checks whether it has administrator privileges and, if not, runs a legitimate component of Microsoft Edge called “cookie_exporter.exe” via a PowerShell command.
oscompatible therefore attempting to run the binary will trigger a User Account Control prompt (UAC) prompting the user to run it with administrator credentials.
By doing so, the intruder carries out the next stage of the attack by executing the DLL (“msedge.dll”) using a technique called hijacking of the DLL search order.
The Trojanized version of the library is designed to decrypt the DAT file (“msedge.dat”) and launch another DLL called “msedgedat.dll”, which in turn establishes connections with a domain controlled by the cybercriminal “kdark1[.]com” to recover a ZIP archive.
The ZIP file comes with AnyDesk remote desktop software and a remote access trojan (“verify.dll”) capable of retrieving instructions from a command and control (C2) server via WebSockets and collecting sensitive information from the host.
Furthermore, “install Chrome extensions in Secure Preferences, configure AnyDesk, hide the screen and disable Windows shutdown, capture keyboard and mouse events“Phylum said.
While “oscompatible” appears to be the only npm module used as part of the campaign, The development is again a sign that other well-prepared cybercriminals are increasingly targeting open-source software (OSS) ecosystems for supply chain attacks (supply chain).
“On the binary side, the process of data decryption, the use of a revoked certificate for signing, extracting other files from remote sources and trying to masquerade as a normal Windows update process is relatively sophisticated compared to what we normally see in OSS ecosystems“, the company said.
The disclosure comes as cloud security firm Aqua revealed that 21.2% of the 50,000 most downloaded npm packages were likely executed, exposing users to security risks. In other words, the packages were downloaded approximately 2.1 billion times per week.
This includes archived and deleted GitHub repositories associated with packages, as well as those that are maintained without a visible repository, history of downloaded files, and error tracking.
“This situation becomes critical when maintainers, rather than addressing security vulnerabilities with patches or CVE assignments, they choose to disapprove [oscompatible sostanzialmente è rimasto lì, ma non è scaricabile] the affected packages“, they have declared security researchers Ilay Goldman and Yakir Kadkoda, adding “What makes this situation particularly worrying is that, sometimes, these maintainers do not officially mark the package as deprecated on npm, leaving a security hole for users who may remain unaware of the potential threats“.
#oscompatible #trojan #fake #versions #AnyDesk