Damaging Linux, macOS Malware Is Hiding in False Browserify NPM Package
The Malicious NPM Package Is Called “web-browserify,” and Imitates the Popular Browserify NPM Component.
Over the weekend, Sonatype’s automated malware detection system, Release Integrity, spotted quite a unique malware sample published to the NPM registry.
NodeJS developers working with Linux and Apple macOS operating systems were targeted by a brand-new malicious package detected on the NMP (Node Package Manager) registry.
The malicious package, named “web-browserify” resembles the popular Browserify NPM component which has been downloaded more than 160 million times throughout its lifecycle, with over 1.3 million weekly downloads on NPM alone, being used by 356,000 GitHub repositories.
Apparently, the malicious component has been downloaded around 50 times before it was removed from the NPM within two days of its publishing.
The package, created by a pseudonymous author describing themselves to be Steve Jobs, combines hundreds of authorized open-source elements and executes extensive surveillance actions on a contaminated system.
Furthermore, until now, none of the main antivirus engines was able to detect the ELF malware contained with the component. The fact that it uses genuine software applications to perform suspicious activities could be one of the reasons.
Moreover, it appears that the malicious package is exclusively created to target individual NodeJS developers if we look at the way it reacts once it gets downloaded, and the choice of operating systems it targets.
How Does “web-browserify” Work?
The malicious package includes a manifest file, package.json, a postinstall.js script, and an ELF executable called “run” existing in a compressed archive, run.tar.xz inside the npm component.
As soon as a developer is installing the package, the scripts withdraw and initiate the “run” Linux binary from the archive, which demands elevated or root permissions from the user.
The extracted “run” binary is huge, about 120 MB in size, and bundles within itself hundreds of legitimate NPM components. The malware is made completely from open source components and uses these legitimate components to organize its extensive surveillance activities.
The cross-platform “sudo-prompt” module is one of these components and is utilized by “run” to prompt the user into allowing the malware root privileges on both macOS and Linux distributions. These privileges will be requested while the web-browserify” is installing which might mislead the developer into believing that it is the legitimate installer activity requiring elevated permissions.
Once the Executable and Linkable Format (ELF), a common format for Unix-based executable binaries and libraries, obtains elevated permissions, it gains stability on the Linux system and copies itself to /etc/rot1 from where it eventually runs on every boot:
The Malware Has Advanced Reconnaissance And Fingerprinting Abilities.
Systeminformation, a different legitimate NPM component is utilized to collect system username, brand, Bluetooth-connected devices, RAM size, hard drive capacity, disk layout, system architecture, WiFi, USB devices, information on Docker images from the infected system.
BleepingComputer confirmed that at least some of this fingerprinting information is exfiltrated to an attacker-controlled domain over a plaintext (HTTP) connection, as GET parameters:
It is still unknown why the author deleted the “web-browserify” component two days after its initial publishing.
What is concerning about this type of attack is that none of the main antivirus engines has been able to detect the ELF malware contained with the component, but also the fact that it capitalizes on legitimate open-source components such as Browserify.