Summary:
The Socket Research team has uncovered a malicious package named “akiraa-wb” that facilitates unauthorized file uploads to various external services. The obfuscated code within the package enables covert data transfer without user consent, posing significant risks to personal data security. The package is linked to WhatsApp automation tools, which may lead to account suspensions due to policy violations.
#DataExfiltration #UnauthorizedAccess #MaliciousPackage
The Socket Research team has uncovered a malicious package named “akiraa-wb” that facilitates unauthorized file uploads to various external services. The obfuscated code within the package enables covert data transfer without user consent, posing significant risks to personal data security. The package is linked to WhatsApp automation tools, which may lead to account suspensions due to policy violations.
#DataExfiltration #UnauthorizedAccess #MaliciousPackage
Keypoints:
Identification of the “akiraa-wb” package designed for unauthorized file uploads.
Obfuscated code that covertly transfers files to multiple external services.
Services targeted include telegra.ph, pomf2.lain.la, and catbox.moe.
Package categorized under ‘Selfbot WhatsApp’, indicating automation of personal tasks.
Potential risks include account suspension due to WhatsApp’s strict policies.
Healthy version release cadence with no open source maintainers.
Code includes functions for creating and sending form data via HTTP POST requests.
Malicious behavior classified due to unauthorized data exfiltration.
MITRE Techniques
Data Exfiltration Over Command and Control Channel (T1041): Uses external services to upload files without user consent.
Obfuscated Files or Information (T1027): Employs obfuscation techniques to hide malicious code functionality.
Application Layer Protocol (T1071): Utilizes HTTP POST requests to transfer data to external file-sharing services.
IoC:
[url] hxxps://telegra.ph/upload
[url] hxxps://pomf2.lain.la/upload.php
[url] hxxps://upload.uploadcare.com/base/
[url] hxxps://tmpfiles.org/api/v1/upload
[url] hxxps://uguu.se/upload.php
[url] hxxps://api.gofile.io/getServer
[url] hxxps://{server}.gofile.io/uploadFile
[url] hxxp://0x0.st
[url] hxxps://catbox.moe/user/api.php
[url] hxxps://itzpire.site/tools/upload
[url] hxxps://skizo.tech/api/upload
Full Research: https://socket.dev/blog/malicious-akiraa-wb-npm-package-exfiltrates-files-to-external-services