Open-Source Infostealer RAT Hidden in Malicious NPM Packages

Researchers have identified two legitimate-looking malicious npm packages that concealed an open-source infostealer for two months before being detected and removed.

See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources

ReversingLabs researchers found the open-source infostealer TurkoRat hiding inside two packages named nodejs-encrypt-agent and nodejs-cookie-proxy-agent that were collectively downloaded about 1,200 times in the past two months.

An npm registry is a database of JavaScript packages, comprising software and metadata that are used by open-source developers to support JavaScript code sharing.

TurkoRat is capable of credential harvesting and website cookies and possesses features like a wallet grabber used for stealing cryptocurrency and its data.

During investigating available packages on public repositories, ReversingLabs researchers identified a number of combinations of malicious behaviors.

Researchers observed open-source packages containing hard-coded IP addresses in their code and executing commands and writing data to files, usually this activity turns out to be malicious, researchers said.

“It is true: None of those capabilities, individually, are malicious. When seen in combination, however, they’re usually supporting malicious functionality. The presence of such suspicious characteristics and behaviors that first caused the npm package nodejs-encrypt-agent to come to our attention,” researchers said.

The malicious package called nodejs-encrypt-agent was found masquerading as another legitimate npm module agent-base with over 30 million downloads. Threat actors also added a link to the GitHub page of the agent-base to make it look more authentic.

Threat actors were found mimicking an older version of the agent-base that was published two months prior to the discovery of the malicious package.

This older version 6.0.2 of the agent-base model that the malicious actors were mimicking had been downloaded over 20 million times.

“High version numbers are popular among malware authors hoping to infiltrate open-source repositories via typosquatting and other supply chain attacks, where hurried developers are often quick to grab the latest edition of a package, as designated by the version number,” researchers said.

While analyzing the nodejs-encrypt-agent, researchers found that the code and functionality mirrored the agent-base package.

“There was, however, a small, but very significant difference: the nodejs-encrypt-agent package contained a portable executable file that, when analyzed by ReversingLabs was found to be malicious,” researchers said.

This PE file gets executed when the package is run and leverages malicious commands hidden in the first few lines of the index.js file.

Some of the key malicious behaviors identified include its ability to write to and delete from Windows system directories; the ability to execute commands; and has ability to tamper with DNS settings, among others.

“The list of malicious or suspicious behaviors observed was long, with features designed to steal sensitive information from infected systems including user login credentials and crypto wallets as well as fool or defeat sandbox environments and debuggers that are used to analyze malicious files,” researchers said.

Discovering TurkoRat

When all the javascript files were extracted and looking at previous versions of the nodejs-encrypt-agent package, researchers uncovered TurkoRat. Researchers confirmed their findings by correlating the javascript files extracted from the PE to the files found in the TurkoRat GitHub repository.

TurkoRat can be customized in the build to alter the configuration and capabilities of the finished PE. It can be distributed using various ways including hiding it in a legitimate software package, as it was hidden inside the nodejs-encrypt-agent.

The nodejs-encrypt-agent was not the only package to carry TurkoRat, but researchers uncovered the npm package nodejs-cookie-proxy-agent, which disguised “it as a dependency, axios-proxy, that was imported into every file found inside nodejs-cookie-proxy-agent versions 1.1.0, 1.2.0, 1.2.1 and 1.2.2.”

Researchers found the code in the nodejs-encrypt-agent and the nodejs-cookie-proxy-agent mirrors a commonly used, legitimate package, node-cookie-proxy-agent, which is not as popular as agent-base, but it was continuously downloaded throughout last year.

“With the legitimate and malign packages only differing by two letters, this is a clear example of typosquatting, making it very possible that a developer would mistakenly download and use the malicious nodejs-cookie-proxy-agent in place of the legitimate node-cookie-proxy-agent,” researchers said.