A number of malicious packages have been spotted in the npm registry specifically targeting German-based prominent media, logistics, and industrial firms to launch supply chain attacks.
The malicious packages
Researchers from JFrog disclosed that the payload in these malicious packages is a highly sophisticated, obfuscated malware that acts as a backdoor and allows the attacker to take complete control over the infected system.
- All the rogue packages (now removed from the repository), have been traced to four maintainers - bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm.
- This implies an attempt to impersonate genuine firms such as Bosch, Stihl, DB Schenker, and Bertelsmann.
- Some of the package names are very specific, indicating that the attackers managed to spot the libraries hosted in the firm's internal repositories with the aim of staging a dependency confusion attack.
Nonetheless, it was assumed that a sophisticated attacker could be behind the attack but later penetration testing firm Code White admitted to uploading those malicious packages.
The malware payload
An analysis of the malicious payloads revealed that the malware payload belongs to a previously reported ‘gxm-reference-web-auth-server’ malicious package. It has two parts, a dropper, and a payload.
- The dropper sends info about the infected system to the malware’s telemetry server (hosted at www[.]pkgio[.]com) via HTTPS and DNS.
- This info includes the victim's hostname, username, and the content of the files /etc/resolv[.]conf and /etc/hosts.
- Subsequently, the dropper decrypts and runs a malicious payload.
- The payload could be a Javascript-based payload or a native binary compiled for the target platform based on the configuration.
Conclusion
The attack was identified as a rigorous pentesting test by a German firm, to mimic a real-life attack. Such penetration testing and research could really help organizations fight against any possible dependency confusion attacks.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/e083_shutterstock_1887511324.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/954c_shutterstock_1924913711.jpg)
