Typosquatting campaign delivers r77 rootkit via npm>
– lucija.valentic@reversinglabs.com (Lucija Valentić)
The ReversingLabs researchers conducted an investigation into a malicious supply chain campaign involving the npm package “node-hide-console-windows”.
They found that this package, despite mimicking a legitimate package, contained a malicious payload in the form of the DiscordRAT 2.0 executable.
This payload allowed malicious actors to control infected hosts through Discord channels, with commands ranging from extracting information to disabling Windows Defender and firewall, killing processes, blocking mouse and keyboard usage, and even shutting down or “bluescreening” the device.
During their investigation, the researchers also came across a command called “!rootkit” within the DiscordRAT 2.0 executable.
This command facilitated the launch of the r77 rootkit on the victim’s machine.
The r77 rootkit is an open source, fileless ring 3 rootkit that can disguise files and processes.
It was a recent addition to the DiscordRAT 2.0, and it allowed the bot to hide its presence on the compromised device by creating registry subkeys to conceal the path of the executable and the bot’s process.
The researchers also discovered a command called “!unrootkit” that could remove the r77 rootkit from the victim’s machine.
In addition to the DiscordRAT 2.0 payload, the researchers found that the analyzed versions of the “node-hide-console-windows” package downloaded a second malicious payload disguised as a Visual Studio Code update.
This payload turned out to be a PyInstaller-compiled executable serving the infostealer called “Blank-Grabber,” written in Python 3.
Similar to the Roblox campaign, it appeared that malicious actors were leveraging open source projects to distribute malware and evade antivirus detection.
The list of IOCs (Indicators of Compromise) collected during the investigation includes the npm package versions of “node-hide-console-windows” and the SHA1 hashes of the second stage payloads associated with the Visual Studio Code update.
The researchers concluded that this supply chain attack campaign, compared to others like IconBurst, had a limited reach among developers.
The motivation and skill level of the actors behind this campaign remained unclear.
On one hand, they made efforts to mimic legitimate packages and created numerous versions of the malicious package.
On the other hand, the campaign utilized well-documented open source malware readily available online, which increased the chances of detection.
The researchers emphasized the need for organizations to enhance their tools for detecting risks from open source packages.
They highlighted the importance of paying attention to small details in naming, detecting obfuscated code, scrutinizing package versioning and naming, and monitoring package dependencies.
By staying vigilant and employing technologies like ReversingLabs’ threat hunting and Software Supply Chain Security platforms, development organizations can better protect against these supply chain attacks and potential malicious payloads.
Link: https://www.reversinglabs.com/blog/r77-rootkit-typosquatting-npm-threat-research