First-Ever Rootkit in Rogue npm Package – A New Supply Chain Threat: In a significant development, a rogue npm package lurking in the npm package registry has been discovered delivering an open-source rootkit called r77.
This marks the first instance where a deceptive package has been used to deploy rootkit functionality. The deceptive package, named node-hide-console-windows, closely mimics the legitimate npm package node-hide-console-window.
This incident is a classic case of typosquatting. Notably, this rogue package managed to garner 704 downloads over the past two months before it was taken down.
Key Takeaways to First-Ever Rootkit in Rogue npm Package: A New Supply Chain Threat:
Table of Contents
- Rootkit via Rogue npm Package: A rogue npm package, node-hide-console-windows, has been found to deliver an open-source rootkit known as r77. This marks a concerning development in the realm of supply chain attacks.
- Typosquatting Campaign: The deceptive package mimics a legitimate npm package through typosquatting, a tactic used to deceive users by creating a package name similar to a trusted one.
- Malicious Payload: Upon execution, the rogue package fetches and runs an executable, DiscordRAT 2.0, which allows attackers to take control of a victim’s system and collect sensitive data.
Discovery of Rogue npm Package
A recent discovery in the world of cybersecurity reveals a rogue npm package hiding within the npm package registry. This package, named node-hide-console-windows, is responsible for deploying an open-source rootkit called r77.
What’s particularly alarming is that this incident represents the first documented case of a deceptive package delivering rootkit functionality.
Typosquatting Campaign Unveiled
The deceptive npm package, node-hide-console-windows, cleverly disguises itself as node-hide-console-window, a legitimate package. This tactic is known as typosquatting, where malicious actors create package names strikingly similar to trusted ones.
Remarkably, this rogue package managed to amass 704 downloads over a span of two months before it was eventually removed.
Unmasking the Malicious Payload
ReversingLabs, a cybersecurity firm, detected this deceptive package in August 2023. Upon investigation, it was revealed that the package not only mimicked a legitimate package but also downloaded a Discord bot.
This Discord bot played a pivotal role in facilitating the installation of an open-source rootkit named r77. This discovery sheds light on the potential misuse of open-source projects as a distribution channel for malware.
DiscordRAT 2.0: The Trojan at Play
The malicious executable fetched by node-hide-console-windows is DiscordRAT 2.0, a C#-based open-source trojan. This trojan equips threat actors with over 40 commands to remotely control compromised hosts via Discord.
These commands enable data collection and the disabling of security software. Notably, one of the commands, “!rootkit,” triggers the execution of the r77 rootkit on the compromised system. r77, maintained by bytecode77, is a “fileless ring 3 rootkit” designed to conceal files and processes.
A History of Malicious Use
r77 has a dark history of being utilized in malicious campaigns. Threat actors have employed it in attack chains, distributing threats like the SeroXen trojan and cryptocurrency miners.
This indicates the versatility and adaptability of the rootkit in the hands of malicious actors.
Additional Threats Uncovered
In a concerning twist, two versions of node-hide-console-windows were found to fetch an open-source information stealer known as Blank-Grabber alongside DiscordRAT 2.0.
This information stealer was disguised as a “visual code update.” This multi-pronged attack approach adds complexity to the threat.
A Low-Effort, High-Impact Campaign
What makes this campaign particularly concerning is its simplicity. It is built using components readily available online, making it relatively easy for threat actors to assemble.
This underscores the growing threat of supply chain attacks and the potential for even low-stakes actors to exploit this avenue.
Caution for Developers
Developers are urged to exercise caution when installing packages from open-source repositories. The attackers behind this campaign went to great lengths to make their packages appear trustworthy.
They meticulously crafted an npm page that closely resembled the legitimate package’s page, even creating ten versions of the malicious package to mirror the legitimate one.
Conclusion
The discovery of a rootkit in a rogue npm package highlights the evolving landscape of supply chain threats. Typosquatting campaigns and the misuse of open-source projects as malware distribution channels pose significant challenges to cybersecurity.
Developers and users alike must remain vigilant and adopt best practices to mitigate these threats.
About ReversingLabs:
- ReversingLabs: ReversingLabs is a reputable cybersecurity firm specializing in software supply chain security. Their expertise lies in detecting and mitigating threats within software packages, helping organizations protect their digital assets from various cyberattacks.
