Summary:
The Socket research team has uncovered a sophisticated malware campaign utilizing Ethereum smart contracts for command and control, marking a significant evolution in supply chain attacks targeting the npm ecosystem. This innovative approach makes traditional detection methods ineffective, as attackers leverage blockchain technology to maintain persistent control over their malware. The campaign has already impacted millions of downloads, demonstrating the need for enhanced security measures in software supply chains.
#SupplyChainSecurity #BlockchainMalware #npmThreats
The Socket research team has uncovered a sophisticated malware campaign utilizing Ethereum smart contracts for command and control, marking a significant evolution in supply chain attacks targeting the npm ecosystem. This innovative approach makes traditional detection methods ineffective, as attackers leverage blockchain technology to maintain persistent control over their malware. The campaign has already impacted millions of downloads, demonstrating the need for enhanced security measures in software supply chains.
#SupplyChainSecurity #BlockchainMalware #npmThreats
Keypoints:
Discovery of a malware campaign using Ethereum smart contracts for command and control.
Initial package “haski” was a typosquat targeting the legitimate “husky” library.
Malicious code executed automatically upon installation through a postinstall script.
Over 1.6 million downloads were impacted by similar supply chain attacks in 2023.
Dozens of malware packages exhibited identical blockchain-based characteristics.
Attackers used fake maintainer profiles with randomized usernames and plausible email addresses.
Malware operates in three stages: blockchain-based C2 retrieval, cross-platform payload distribution, and stealthy execution.
Malware utilizes non-standard ports and direct IP addresses for C2 communication.
Russian language elements found in the malicious code suggest possible attacker proficiency.
Traditional security measures are insufficient against this evolving threat landscape.
MITRE Techniques:
Command and Control (T1071): Utilizes blockchain-based smart contracts for C2 communication.
Obfuscated Files or Information (T1027): Employs obfuscation techniques in malicious code to evade detection.
Application Layer Protocol (T1071.001): Uses Ethereum smart contracts to retrieve payload URLs.
Credential Dumping (T1003): Potentially collects credentials through malicious payloads.
Exploitation of Remote Services (T1210): Targets npm packages for exploitation through typosquatting.
IoC:
[Ethereum Contract] 0xa1b40044EBc2794f207D45143Bd82a1B86156c6b
[Wallet Address] 0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84
[File Name] node-win.exe
[File Name] node-linux
[File Name] node-macos
[Email] KarenCampbelljzm2902@gmail[.]com
[IP Address] 45[.]125[.]67[.]172
Full Research: https://socket.dev/blog/massive-npm-malware-campaign-leverages-ethereum-smart-contracts