Summary: An ongoing campaign is targeting npm developers with typosquatted packages to distribute cross-platform malware, utilizing Ethereum smart contracts for command-and-control (C2) server address distribution. This innovative approach complicates detection and takedown efforts, posing a significant threat to the open-source ecosystem.
Threat Actor: Unknown | unknown
Victim: npm developers | npm developers
Key Point :
- 287 typosquat packages have been published to the npm registry, targeting developers of popular libraries like Puppeteer and Bignum.js.
- The malware retrieves a next-stage binary based on the operating system, establishing persistence and exfiltrating sensitive information.
- JavaScript code interacts with Ethereum smart contracts to fetch IP addresses, making the attack infrastructure resilient to takedown efforts.
- Error messages in Russian suggest the threat actor may be a Russian speaker, highlighting the need for vigilance among developers.
- The use of blockchain technology complicates detection and enhances the resilience of the attack infrastructure.
An ongoing campaign is targeting npm developers with hundreds of typosquat versions of their legitimate counterparts in an attempt to trick them into running cross-platform malware.
The attack is notable for utilizing Ethereum smart contracts for command-and-control (C2) server address distribution, according to independent findings from Checkmarx, Phylum, and Socket published over the past few days.
The activity was first flagged on October 31, 2024, although it’s said to have been underway at least a week prior. No less than 287 typosquat packages have been published to the npm package registry.
“As this campaign began to unfold in earnest, it became clear that this attacker was in the early stages of a typosquat campaign targeting developers intending to use the popular Puppeteer, Bignum.js, and various cryptocurrency libraries,” Phylum said.
The packages contain obfuscated JavaScript that’s executed during (or post) the installation process, ultimately leading to the retrieval of a next-stage binary from a remote server based on the operating system.
The binary, for its part, establishes persistence and exfiltrates sensitive information related to the compromised machine back to the same server.
But in an interesting twist, the JavaScript code interacts with an Ethereum smart contract using the ethers.js library to fetch the IP address. It’s worth mentioning here that a campaign dubbed EtherHiding leveraged a similar tactic by using Binance’s Smart Chain (BSC) contracts to move to the next phase of the attack chain.
The decentralized nature of blockchain means it’s harder to block the campaign as the IP addresses served by the contract can be updated over time by the threat actor, thereby allowing the malware to seamlessly connect to new IP addresses as older ones are blocked or taken down.
“By using the blockchain in this way, the attackers gain two key advantages: their infrastructure becomes virtually impossible to take down due to the blockchain’s immutable nature, and the decentralized architecture makes it extremely difficult to block these communications,” Checkmarx researcher Yehuda Gelb said.
It’s currently not clear who is behind the campaign, although the Socket Threat Research Team said it identified error messages written in Russian for exception handling and logging purposes, suggesting that the threat actor could be a Russian speaker.
The development once again demonstrates the novel ways attackers are poisoning the open-source ecosystem, necessitating that developers be vigilant when downloading packages from software repositories.
“The use of blockchain technology for C2 infrastructure represents a different approach to supply chain attacks in the npm ecosystem, making the attack infrastructure more resilient to takedown attempts while complicating detection efforts,” Gelb said.
Source: https://thehackernews.com/2024/11/malware-campaign-uses-ethereum-smart.html