Application Security , Next-Generation Technologies & Secure Development , Threat Intelligence

Open-Source Info Stealer RAT Hides in Malicious npm Packages

TurkoRat Capable of Credential Harvesting, Contains Features Such as Wallet Grabber
Open-Source Info Stealer RAT Hides in Malicious npm Packages

Researchers have identified two legitimate-looking malicious npm packages that concealed an open-source info stealer for two months before being detected and removed.

See Also: 57 Tips to Secure Your Organization

ReversingLabs researchers found the open-source info stealer TurkoRat hiding inside two packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent that were collectively downloaded about 1,200 times in the past two months.

An npm registry is a database of JavaScript packages, comprising software and metadata that are used by open-source developers to support JavaScript code sharing.

TurkoRat is capable of harvesting credentials and website cookies and contains features such as a wallet grabber, which is used for stealing cryptocurrency and its data.

During investigating available packages on public repositories, ReversingLabs researchers identified a number of combinations of malicious behaviors.

They saw open-source packages containing hard-coded IP addresses in their code and executing commands and writing data to files. Usually, such activity turns out to be malicious, the researchers said.

"It is true: None of those capabilities, individually, are malicious. When seen in combination, however, they’re usually supporting malicious functionality. The presence of such suspicious characteristics and behaviors that first caused the npm package nodejs-encrypt-agent to come to our attention," they said.

The malicious package called nodejs-encrypt-agent was found masquerading as another legitimate npm module agent-base, which has over 30 million downloads. Threat actors also added a link to the GitHub page of agent-base to make it look more authentic.

Threat actors were found mimicking an older version of agent-base that was published two months prior to the discovery of the malicious package.

This older version 6.0.2 of the agent-base model that the malicious actors were mimicking had been downloaded over 20 million times.

"High version numbers are popular among malware authors hoping to infiltrate open-source repositories via typosquatting and other supply chain attacks, where hurried developers are often quick to grab the latest edition of a package, as designated by the version number," the researchers said.

While analyzing the nodejs-encrypt-agent, researchers found that the code and functionality mirrored the agent-base package.

"There was, however, a small, but very significant difference: the nodejs-encrypt-agent package contained a portable executable file that, when analyzed by ReversingLabs was found to be malicious," they said.

This PE file gets executed when the package is run and leverages malicious commands hidden in the first few lines of the index.js file.

Some of the key malicious behaviors identified include its ability to write to and delete from Windows system directories, execute commands, and tamper with DNS settings, among others.

"The list of malicious or suspicious behaviors observed was long, with features designed to steal sensitive information from infected systems including user login credentials and crypto wallets as well as fool or defeat sandbox environments and debuggers that are used to analyze malicious files," the researchers said.

Discovering TurkoRat

When all the JavaScript files had been extracted and the researchers looked at previous versions of the nodejs-encrypt-agent package, they uncovered TurkoRat. The researchers confirmed their findings by correlating the JavaScript files extracted from the PE to the files found in the TurkoRat GitHub repository.

TurkoRat can be customized in the build to alter the configuration and capabilities of the finished PE. It can be distributed in various ways, including by hiding it in a legitimate software package, as it was hidden inside the nodejs-encrypt-agent.

The nodejs-encrypt-agent was not the only package to carry TurkoRat, but researchers uncovered the npm package nodejs-cookie-proxy-agent, which disguised "it as a dependency, axios-proxy, that was imported into every file found inside nodejs-cookie-proxy-agent versions 1.1.0, 1.2.0, 1.2.1 and 1.2.2."

Researchers found the code in the nodejs-encrypt-agent and the mirrors a commonly used, legitimate package, node-cookie-proxy-agent, which is not as popular as agent-base but continuously downloaded throughout last year.

"With the legitimate and malign packages only differing by two letters, this is a clear example of typosquatting, making it very possible that a developer would mistakenly download and use the malicious nodejs-cookie-proxy-agent in place of the legitimate node-cookie-proxy-agent," the researchers said.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.