Malicious npm Package Exploits WhatsApp Authentication with Remote Kill Switch for File Destruction

Summary:
This article discusses a newly discovered malware that disguises itself as a WhatsApp Web client, capable of deleting files while masquerading within trusted authentication processes. The malware employs a multi-stage attack, utilizing data exfiltration and a destructive payload to compromise systems. Its stealthy approach highlights the risks associated with messaging platforms and the importance of scrutinizing third-party packages.
#MalwareThreats #SupplyChainSecurity #DataExfiltration

Keypoints:

The malware masquerades as a legitimate WhatsApp Web client.

It can delete files and exfiltrate sensitive data.

Utilizes WhatsApp’s authentication process to hide its malicious actions.

Discovered in the npm package @vreden/meta.

Employs Base64 encoding to obscure its data collection endpoints.

Contains a remote kill switch that executes destructive commands.

Establishes unauthorized connections to remote servers for data exfiltration.

Threat actors exploit human error and trust in package authors.

Socket’s security tools can help detect and mitigate such threats.

MITRE Techniques

Command and Scripting Interpreter (T1059.004): Utilizes Unix shell commands to execute destructive operations.

Deobfuscate/Decode Files or Information (T1140): Uses encoding techniques to hide malicious code and endpoints.

Exfiltration Over C2 Channel (T1041): Exfiltrates data through command and control channels.

Indicator Removal on Host: File Deletion (T1070.004): Executes commands to delete files and directories without recovery options.

IoC:

[url] hxxps://rest-api[.]vreden[.]my[.]id?leads?id=

[url] hxxps://ipwho[.]is/?lang=id-ID

[url] hxxps://rest-api[.]vreden[.]my[.]id?cek?id=

[tool name] @vreden/meta

[tool name] baileys

Full Research: https://socket.dev/blog/malicious-npm-package-exploits-whatsapp-authentication-with-remote-kill-switch

Tags: COLLECTION, EXPLOIT, UNIX, TOOL, PAYLOAD, EXFILTRATION