Network Security
Vulnerability Management
Privileged Access Management
Endpoint Security
Threat Hunting
Unified Endpoint Management
Email & Collaboration Security
Contents:
Researchers discovered that a new rogue npm package installed the r77 open-source rootkit. This was the first time that a rogue package was observed delivering rootkit functionality.
The “node-hide-console-windows” package forged the legitimate “node-hide-console-window” one. The forgery was first discovered in August 2023. “node-hide-console-windows” contained malicious code and was downloaded for 704 times before security specialists took it down in September 2023.
The activity was part of a typosquatting campaign in which hackers tag malicious packages with names that resemble legitimate ones. Thus, researchers warn about threat actors using open-source projects more often to deploy malware.
More About Rootkit R77 and the Rogue Package
The malware was hidden inside a file called “index.js” within the package. When someone opened the package, the file run the executable automatically.
The executable is DiscordRAT 2.0, a C#-based open-source trojan that can exfiltrate data and turn off security software.
One of the 40 commands DiscordRAT 2.0 can use is called “!rootkit,”. The instruction triggers another executable called “r77.” R77 Rootkit is designed to hide files and processes running on the computer. It can be used on its own or with other software. Hackers used r77 rootkit before to spread SeroXen and cryptocurrency miners.
Furthermore, researchers discovered that two distinct versions of “node-hide-console-windows” were retrieving the “Blank-Grabber” open-source data theft tool in addition to DiscordRAT 2.0. These versions pretended to be a “visual code update” while actually carrying out this activity.
Open-source Software Used to Obfuscate Malicious Activities
Researchers pointed out that the typosquatting campaign was entirely based on open-source components. This means threat actors did not need to bother much when they prepared this supply chain attack door.
The actor or actors behind this campaign fashioned an npm page that closely resembled the page for the legitimate package that was being typo-squatted, and even created 10 versions of the malicious package to mirror the package they were mimicking.
said a researcher quoted by The Hacker News.
Security specialists warn developers to be extremely cautious when installing packages from open-source repositories. This is not the first time that researchers discover packages that resemble legitimate ones, but are equipped with data harvesting features, for example.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, and Youtube, for more cybersecurity news and topics.
