“Since discovering the aabquerys package, npm has removed it from their repository along with other malicious packages,” Valentic wrote.Īt the same time, the discovery of the malicious package (and evidence of others) by the maintainer responsible highlights the growing risk of malicious packages hiding in open-source repositories like npm, PyPI and GitHub, the researchers explained. This, in turn, sideloaded a dynamic link library (DLL) file that downloaded a third-stage malicious component.ĭubbed “Demon.bin,” this file is a malicious agent with various remote access trojan (RAT) functionalities that was reportedly developed using the open-source, post-exploitation, command and control (C2) framework Havoc by malware author C5pider.
When opened on a PC, the file showed a fake web browser crash message and a link that led to the download of a second-stage malware that has been used in several malware campaigns, according to ReversingLabs.
That revealed a file with clearly malicious behavior.” “In the case of aabquerys, the obfuscated code in question was easily de-obfuscated. “Open source code is intended to be viewable by everyone, so an effort to disguise or hide functionality within an open source module should be investigated,” the researchers wrote. The technical write-up by ReversingLabs threat researchers Lucija Valentic and Karlo Zanki says the malicious package consisted of two files, one obfuscated via the JavaScript obfuscator. “The package name, aabquerys, is also similar to the name of another, legitimate npm module: abquery, evidence of ‘typosquatting,’ or attempting to sow confusion and fool developers into downloading a malicious package in place of a legitimate one,” reads an advisory posted by the company on Thursday. The findings come from security researchers at ReversingLabs, who have said aabquerys was able to download second- and third-stage malware payloads to infected systems. A package called “aabquerys” has been spotted on the open-source JavaScript npm repository using typosquatting techniques to enable the download of malicious components.
0 kommentar(er)
