Researchers at ReversingLabs have discovered a typosquatting campaign on the npm platform [5]. This campaign involved a deceptive package called “node-hide-console-windows” that closely imitated the legitimate package “node-hide-console-window.” The rogue package managed to deceive users and was downloaded approximately 704 times over the past two months before being taken down.
Description
The rogue package deployed an open-source rootkit known as “r77,” which allowed it to disguise files and processes. It also downloaded a Discord bot called DiscordRAT 2.0 [1], enabling threat actors to remotely control a victim’s host through Discord and gather sensitive data. Additionally, the package included a payload disguised as a visual code update [10], but was actually a Python 3 info-stealer called Blank-Grabber [10].
This incident highlights the risks associated with open-source software and the ease with which malicious behavior can be concealed [4]. The campaign utilized freely available components [2] [3] [6] [8], making it simple for threat actors to execute supply chain attacks [3] [6]. The actors behind this campaign went to great lengths to create multiple versions of the malicious package, closely resembling the legitimate package they were imitating [6]. This discovery marks the first time a package with rootkit capabilities has been identified [9], indicating a growing trend of utilizing open-source projects for distributing malware [9].
The malicious code within the package’s index.js file executed an executable that introduced a C#-based open-source trojan known as DiscordRAT 2.0 [9]. This trojan allowed threat actors to remotely control the victim’s host via Discord and included features for collecting sensitive data and disabling security software [9]. The r77 rootkit [1] [2] [3] [7] [8] [9] [11], which can be triggered on the compromised system using a unique instruction [9], has been previously used in harmful campaigns, including the distribution of the SeroXen trojan and crypto miners [9]. Additionally, the rogue package also fetched an open-source information stealer called Blank-Grabber [2] [8] [9].
Developers must exercise caution when installing packages from open-source repositories [3] [7] [8] [9], as threat actors can easily exploit freely available components for their attacks [9]. The rogue package meticulously mimicked the legitimate package’s npm page and created multiple versions to deceive unsuspecting users [9]. This trend underscores the need for caution and careful consideration when utilizing open-source packages.
Conclusion
This typosquatting campaign on the npm platform has significant implications. It highlights the importance of remaining vigilant and exercising caution when installing packages from open-source repositories. Developers must be aware of the risks associated with open-source software and the ease with which malicious behavior can be concealed. Mitigations should include thorough verification of package sources and careful consideration of the components used. The discovery of a package with rootkit capabilities indicates a growing trend of utilizing open-source projects for distributing malware, emphasizing the need for ongoing vigilance and security measures in the open-source community.
References
[1] https://thecyberwire.com/podcasts/daily-podcast/1920/transcript
[2] https://mrhacker.co/malware/rogue-npm-package-deploys-open-source-rootkit-in-new-supply-chain-attack
[3] https://vulners.com/thn/THN:87628602B845A66A20E4F81D5B60FA3A
[4] https://www.darkreading.com/application-security/turnkey-rootkit-amateur-hackers-supply-chain-attacks
[5] https://securityboulevard.com/2023/10/typosquatting-campaign-delivers-r77-rootkit-via-npm/
[6] https://thehackernews.com/2023/10/rogue-npm-package-deploys-open-source.html
[7] https://pledgetimes.com/r77-a-javascript-package-is-actually-a-rootkit/
[8] https://www.redpacketsecurity.com/rogue-npm-package-deploys-open-source-rootkit-in-new-supply-chain-attack/
[9] https://www.linkedin.com/pulse/rogue-npm-package-deploys-open-source-rootkit-new-supply-kotha
[10] https://securityboulevard.com/2023/10/two-campaigns-drop-malicious-packages-into-npm/
[11] https://heimdalsecurity.com/blog/rogue-npm-package-deploys-r77-rootkit/