age “jest-fet-mock,” which implements a unique strategy utilizing Ethereum sensible contracts for command-and-control operations. The bundle masquerades as a well-liked testing utility whereas distributing malware throughout Home windows, Linux, and macOS platforms. This discovery represents a notable distinction in provide chain assault methodologies, combining blockchain know-how with conventional assault vectors in a method not beforehand noticed in npm. jest-fet-mock was the primary bundle recognized in a bigger ongoing marketing campaign concentrating on the NPM ecosystem. Extra packages linked to this marketing campaign had been later reported by safety corporations Phylum and Socket.
Key Findings
- First noticed occasion of malware using Ethereum sensible contracts for C2 server deal with distribution within the NPM ecosystem.
- Typosquatting assault concentrating on builders by impersonating two reputable, in style testing packages.
- Cross-platform malware concentrating on Home windows, Linux, and macOS growth environments.
- Makes use of NPM preinstall scripts to execute malicious code throughout bundle set up.
- Performs info-stealing actions whereas establishing persistence mechanisms throughout contaminated techniques.
The Artwork of Impersonation
The malicious bundle “jest-fet-mock”, printed in mid-October, was designed to impersonate two reputable and broadly used JavaScript testing utilities.
The primary, “fetch-mock-jest” (~200K weekly downloads), is a wrapper round fetch-mock that permits HTTP request mocking in Jest environments.
The second, “Jest-Fetch-Mock” (~1.3M weekly downloads), supplies related performance by way of Jest’s native mocking capabilities.
Each reputable packages are instruments for testing HTTP requests in JavaScript purposes. The attacker used a traditional typosquatting method by misspelling “fetch” as “fet” whereas sustaining the important thing phrases “jest” and “mock”. On condition that the reputable packages are primarily utilized in growth environments the place builders sometimes have elevated system privileges, and are sometimes built-in into CI/CD pipelines, we imagine this assault particularly targets growth infrastructure by way of the compromise of testing environments.
Assault Circulation
Blockchain-Primarily based Command & Management
Essentially the most distinctive side of this assault is the way it leverages the Ethereum blockchain for its command-and-control infrastructure. When executed, the malware interacts with a sensible contract at deal with “0xa1b40044EBc2794f207D45143Bd82a1B86156c6b“. Specifically, it calls the contract’s “getString” methodology, passing “0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84” as a parameter to retrieve its C2 server deal with.
Through the use of the blockchain on this method, the attackers achieve two key benefits: their infrastructure turns into nearly not possible to take down as a result of blockchain’s immutable nature, and the decentralized structure makes it extraordinarily tough to dam these communications.
Understanding the Sensible Contract Mechanism
Consider a sensible contract on the Ethereum blockchain as a public bulletin board – anybody can learn what’s posted, however solely the proprietor has the flexibility to replace it. The attackers on this case deployed such a contract, utilizing it to retailer their C2 server deal with. Each time the malicious bundle is put in on a brand new system, it checks this bulletin board to search out out the place to obtain the precise malware. What makes this strategy notably efficient is its flexibility. As an alternative of hardcoding server addresses of their malware, the attackers can merely replace their sensible contract each time they should level to a brand new server. Because of this even when defenders efficiently block one C2 server, the attackers can rapidly change to a brand new one by updating their contract, and all new infections will mechanically hook up with the brand new location.
Preliminary Execution
The assault chain begins throughout the npm bundle set up course of by way of the preinstall script. This script determines the host working system and constructs a platform-specific URL to obtain the suitable payload. The malware then spawns a indifferent course of, making certain the malicious code continues working independently of the set up course of.
Multi-Platform Malware
Our evaluation revealed distinct malware variants designed for:
Home windows (SHA-256: df67a118cacf68ffe5610e8acddbe38db9fb702b473c941f4ea0320943ef32ba),
Linux (SHA-256: 0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17),
and macOS (SHA-256: 3f4445eaf22cf236b5aeff5a5c24bf6dbc4c25dc926239b8732b351b09698653).
Notably, as of this writing, none of those information have been flagged as malicious by any safety distributors on VirusTotal.
The malware variants demonstrated numerous capabilities together with system reconnaissance, credential theft, and establishing persistence by way of platform-specific mechanisms – utilizing AutoStart information in Linux and Launch Agent configuration (~/Library/LaunchAgents/com.consumer.startup.plist) in macOS.
All through their operation, all variants preserve constant communication with the attacker’s C2 server, showcasing a coordinated cross-platform assault technique geared toward compromising growth environments.
Impression
By concentrating on growth instruments and testing utilities, attackers achieve potential entry to not solely particular person developer machines but additionally CI/CD pipelines and construct techniques. The usage of blockchain know-how for C2 infrastructure represents a unique strategy to provide chain assaults within the npm ecosystem, making the assault infrastructure extra resilient to takedown makes an attempt whereas complicating detection efforts.
The cross-platform nature of the malware, coupled with the truth that no safety distributors have flagged these information as malicious on VirusTotal on the time of writing, makes this an actively harmful risk to growth environments.
Conclusion
The invention of “jest-fet-mock” reveals how risk actors are discovering alternative ways to compromise the software program provide chain. This case serves as an essential reminder for growth groups to implement strict safety controls round bundle administration and thoroughly confirm the authenticity of testing utilities, particularly these requiring elevated privileges.
This marketing campaign is ongoing, with extra packages linked to the identical marketing campaign reported later within the month by Phylum and Socket.
As a part of the Checkmarx Provide Chain Safety resolution, our analysis staff constantly displays suspicious actions within the open-source software program ecosystem. We monitor and flag “signals” that will point out foul play, together with suspicious entry factors, and promptly alert our clients to assist defend them from potential threats.
Packages
For the complete listing of packages associated to this marketing campaign see this hyperlink:
https://gist.github.com/masteryoda101/d4e90eb8004804d062bc04cf1aec4bc0
IOCs
- hxxp[:]//193[.]233[.]201[.]21:3001
- hxxp[:]//193[.]233[.]201[.]21:3001/node-win.exe
- hxxp[:]//193[.]233[.]201[.]21:3001/node-linux
- hxxp[:]//193[.]233[.]201[.]21:3001/node-macos
- df67a118cacf68ffe5610e8acddbe38db9fb702b473c941f4ea0320943ef32ba
- 0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17
- 3f4445eaf22cf236b5aeff5a5c24bf6dbc4c25dc926239b8732b351b09698653
