Npm Trojan bypasses UAC, installs AnyDesk with “Os compatible” package

Npm malware

A malicious package has been found uploaded to the npm registry and deploys an advanced remote access Trojan on compromised Windows machines.

The package named “oscompatible,” was published on January 9, 2024 and drew a total 380 downloads before it was demolished.

oscompatible included a “couple of strange binaries,” according to software vendor Phylum, including a single executable, a dynamic-link library (DLL), and an encrypted DAT file, in addition to a JavaScript file.

This JavaScript file (“index.js”) runs a batch script “autorun.bat”, but only after running a compatibility check to determine whether the target machine is running Microsoft Windows.

If the platform is not Windows, an error message is displayed to the user, stating that the script is running on Linux or an unrecognized operating system, and urging them to run it on “Windows Server OS”.

The batch script in turn verifies that it has administrative privileges, and if not, it runs a legitimate Microsoft Edge component called “cookie_exporter.exevia a PowerShell command.

Attempting to run the binary will trigger a User Account Control (UAC) asks the target to run it with administrative credentials.

In doing so, the threat actor carries out the next phase of the attack by executing the DLL (“msedge.dll”) using a technique called DLL query hijacking.

The trojanized version of the library is designed to decrypt the DAT file (“msedge.dat”) and launch another DLL called “msedgedat.dll”, which in turn establishes connections to an actor controlled domain called “kdark1[.]com” to retrieve a ZIP archive.

The ZIP file comes bundled with the AnyDesk remote desktop software and a remote access Trojan (“verify.dll”) that can retrieve instructions from a command-and-control (C2) server via WebSockets and collect sensitive information from the host.

It also installs Chrome extensions for Secure Preferences, configures AnyDesk, hides the screen and disables Windows shutdown, [and] records keyboard and mouse events,” said Phylum.

While ‘oscompatible’ appears to be the only npm module used as part of the campaign, the development is yet another sign that threat actors are increasingly targeting open-source software (OSS) ecosystems for supply chain attacks.

“From the binary side, the process of decrypting data, using a revoked certificate for signing, retrieving other files from external sources, and trying to disguise itself as a standard Windows update process along the way is relatively advanced compared to what we see normally. in OSS ecosystems,” the company said.

The revelation comes as cloud security company Aqua revealed that 21.2% of the top 50,000 downloaded npm packages are outdated, exposing users to security risks. In other words, the outdated packages are downloaded an estimated 2.1 billion times per week.

This includes archived and deleted GitHub repositories associated with the packages, as well as those maintained without a visible repository, commit history, and issue tracking.

“This situation becomes critical when, instead of addressing security issues with patches or CVE assignments, administrators choose to deprecate affected packages,” said security researchers Ilay Goldman and Yakir Kadkoda. said.

“What makes this particularly concerning is that these administrators sometimes do not officially mark the package as outdated on npm, creating a vulnerability for users who may be unaware of potential threats.”

#Npm #Trojan #bypasses #UAC #installs #AnyDesk #compatible #package

Notify of
Inline Feedbacks
View all comments
Previous Post
Data Backup and Recovery

Backup and recovery strategies for Exchange Server administrators

Next Post
Ivanti EPMM Vulnerability

US Cybersecurity Agency warns of actively exploited Ivanti EPMM vulnerability

Related Posts