Malicious npm Package from a Twin Developers Deliver r77 Rootkit

A malicious supply chain attack affecting the popular npm platform, often used for Node.js projects, has been identified. 

This attack employs a tactic known as typosquatting, where malicious actors create packages with names strikingly similar to legitimate ones to deceive developers.

Cybersecurity researchers at ReversingLabs have unveiled a concerning trend in the realm of open-source software development. 

In this case, a seemingly harmless typo of a single letter “s” differentiates a legitimate npm package from its malicious twin, leading to the delivery of the r77 rootkit, a dangerous form of malware.

Document
FREE Demo

Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

Typosquatting Campaign’s Deceptive Package

The malicious npm package at the center of this campaign goes by the name “node-hide-console-windows.” 

It cunningly mimics the legitimate npm package “node-hide-console-window,” which is utilized for toggling an application’s console window visibility. 

The similarity between the two names is so subtle that it easily escapes notice. This malicious package was discovered to have been downloaded over 700 times before it was detected and removed by npm maintainers.

The Anatomy of the Attack:

The attack begins with a seemingly harmless email or message that includes a link to the malicious package. 

Unsuspecting developers who click the link are directed to what appears to be a legitimate npm page for “node-hide-console-window.” 

This page is designed to mirror the real one closely, making it challenging for developers to distinguish any discrepancies. 

Legitimate package’s versions
Legitimate package’s versions

The malicious package even had ten versions published, matching the legitimate package’s version history.

Behavior indicators of node-hide-console-windows
Behavior indicators of node-hide-console-windows

Upon further investigation, it became evident that the bad code resided within the “index.js” file of the “node-hide-console-windows” package. 

This code was far from trustworthy and fetched an executable that unleashed the Discord Remote Administration Tool, or DiscordRAT 2.0. 

This open-source tool is intended for “educational use only” but is being maliciously exploited in this campaign.

DiscordRAT’s Role

DiscordRAT 2.0 is a versatile tool that allows malicious actors to easily control infected hosts. 

Once executed, it creates a channel on Discord for each victim and sends an initial payload to the compromised machine. 

From there, the attacker can issue a range of commands, from extracting information to disabling security features and even shutting down the victim’s device. 

In this campaign, DiscordRAT also plays a crucial role in deploying the r77 rootkit on the victim’s machine.

r77 Rootkit: An Open Source Threat:

The r77 rootkit, bundled with DiscordRAT in this campaign, is an example of open-source malware that’s readily available online. 

Its functions include disguising files and processes on the infected machine, making it difficult to detect and remove. 

Notably, the rootkit has been used in previous malicious campaigns, but this marks the first time it’s been concealed within a malicious open-source npm package.

Expanding Threat Landscape

This campaign underscores a growing trend where open-source projects are leveraged as vehicles for malware distribution. 

While earlier attacks primarily relied on spoofed or compromised accounts, BEC 3.0 attacks, like this typosquatting campaign, operate within the realm of legitimate services, making detection more challenging.

Even with open-source projects, no detail should be overlooked, as attackers exploit the smallest discrepancies to infiltrate development pipelines. 

Organizations must sharpen their tools for detecting risks associated with open-source packages, including vigilant scrutiny of naming, package versioning, code obfuscation, and more.

To mitigate these risks, developers should remain cautious and attentive to details when integrating open-source packages into their projects, ensuring that they do not inadvertently introduce malicious dependencies.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.