Summary:
The discovery of the malicious NPM package “jest-fet-mock” highlights an innovative supply chain attack that utilizes Ethereum smart contracts for command-and-control operations. This cross-platform malware targets development environments by impersonating legitimate testing utilities, showcasing a new method of leveraging blockchain technology in cyber attacks. #SupplyChainAttack #BlockchainMalware #NPMThreat
The discovery of the malicious NPM package “jest-fet-mock” highlights an innovative supply chain attack that utilizes Ethereum smart contracts for command-and-control operations. This cross-platform malware targets development environments by impersonating legitimate testing utilities, showcasing a new method of leveraging blockchain technology in cyber attacks. #SupplyChainAttack #BlockchainMalware #NPMThreat
Keypoints:
First observed instance of malware utilizing Ethereum smart contracts for C2 server address distribution in the NPM ecosystem.
Typosquatting attack targeting developers by impersonating two legitimate, popular testing packages.
Cross-platform malware targeting Windows, Linux, and macOS development environments.
Uses NPM preinstall scripts to execute malicious code during package installation.
Performs info-stealing actions while establishing persistence mechanisms across infected systems.
Attackers gain advantages from using blockchain technology for command-and-control infrastructure.
Malware variants designed for Windows, Linux, and macOS with distinct capabilities.
None of the malware files flagged as malicious by security vendors on VirusTotal at the time of writing.
Potential access to CI/CD pipelines and build systems increases the threat level.
Ongoing campaign with additional packages reported later by security firms.
MITRE Techniques
Command and Control (T1071): Utilizes Ethereum smart contracts to retrieve C2 server addresses, making it difficult to block communications.
Initial Access (T1071): Executes malicious code during the npm package installation process using preinstall scripts.
Persistence (T1547): Establishes persistence through platform-specific mechanisms such as AutoStart files and Launch Agents.
Credential Dumping (T1003): Performs info-stealing actions to gather sensitive information from infected systems.
IoC:
[URL] hxxp[:]//193[.]233[.]201[.]21:3001
[URL] hxxp[:]//193[.]233[.]201[.]21:3001/node-win.exe
[URL] hxxp[:]//193[.]233[.]201[.]21:3001/node-linux
[URL] hxxp[:]//193[.]233[.]201[.]21:3001/node-macos
[File Hash] df67a118cacf68ffe5610e8acddbe38db9fb702b473c941f4ea0320943ef32ba
[File Hash] 0801b24d2708b3f6195c8156d3661c027d678f5be064906db4fefe74e1a74b17
[File Hash] 3f4445eaf22cf236b5aeff5a5c24bf6dbc4c25dc926239b8732b351b09698653
Full Research: https://checkmarx.com/uncategorized/supply-chain-attack-using-ethereum-smart-contracts-to-distribute-multi-platform-malware/