A malicious bundle within the Node Bundle Supervisor index makes use of invisible Unicode characters to cover malicious code and Google Calendar hyperlinks to host the URL for the command-and-control location.
The bundle, named os-info-checker-es6, seems as an info utility and has been downloaded greater than 1,000 instances because the starting of the month.
Researchers at Veracode, a code safety evaluation firm, discovered that the primary model of the bundle was added to the Node Bundle Supervisor (NPM) index on March 19 and was benign, because it solely collected working system info from the host.
The writer added modifications a number of days later to incorporate platform-specific binaries and obfuscated set up scripts.
On Might 7, a brand new model of the bundle was printed, which featured code for “a complicated C2 (command-and-control) mechanism” that delivers the ultimate payload.
The most recent model of ‘os-info-checker-es6‘ obtainable on npm on the time of writing is v1.0.8 and it’s malicious, Veracode warns.
Moreover, the bundle is listed as a dependency for 4 different NPM packages: skip-tot, vue-dev-serverr, vue-dummyy, and ‘vue-bit – all pose as accessibility and developer platform engineering instruments.
It’s unclear if or how these packages are promoted by the risk actor.
Unicode steganography
Within the malicious model, the attacker embedded knowledge in what gave the impression to be a ‘|’ string. Nonetheless, the vertical bar is adopted by an extended sequence of invisible Unicode characters from the Variation Selectors Complement vary (U+E0100 to U+E01EF).
These Unicode characters are usually modifiers, usually used “to supply particular glyph variations in advanced scripts.” On this case, their function is to facilitate text-based steganography – hiding info in different knowledge.
Veracode decoded and deobfuscated the string to discover a payload for a complicated C2 mechanism that relied on a Google Calendar brief hyperlink to succeed in the placement internet hosting the ultimate payload.
The researcher clarify that after fetching the Google Calendar hyperlink, a set of redirects are checked till it receives a HTTP 200 OK response for the request.
It then scrapes a data-base-title attribute from the occasion’s HTML web page, which holds a base64-encoded URL pointing to the ultimate payload.
Utilizing a perform known as ymmogvj, the URL is decoded to get a malware payload. The researchers say that the request expects a base- encoded stage-2 malware payload within the response physique, and sure an initialization vector and a secret key within the HTTP headers – a sign of doable encryption of the ultimate payload.
Veracode additionally discovered that the payload can be executed utilizing eval(). The script features a easy persistence mechanism within the system’s short-term listing, which prevents a number of situations working on the similar time.
On the time of research, the researchers couldn’t retrieve the ultimate payload, suggesting that the marketing campaign might be on maintain or nonetheless in an early stage.
Regardless of Veracode reporting its findings to NPM, the suspicious packages are nonetheless current on the platform.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and learn how to defend in opposition to them.
