• Malicious campaigns targeting open-source ecosystems are causing a flood of spam, SEO poisoning, and malware infection.
• The threat actors create malicious websites and publish empty packages with links to those malicious websites, taking advantage of open-source ecosystems’ good reputation on search engines.
• The attacks caused a Denial of Service (DoS) that made NPM unstable with sporadic “Service Unavailable” errors.
• The campaigns included a malware infection campaign, a referral scam campaign linked to AliExpress, and a crypto scam campaign targeting Russian users on Telegram.
• Various IOCs were identified, including domain names, IP addresses, and URLs.

We’ve seen spam campaigns in the open-source ecosystems in the past year, but this month was by far the worst one we’ve seen yet.

Apparently, attackers found the unvetted open-source ecosystems as an easy target to perform SEO poisoning for various malicious campaigns. As long as the name is untaken, they can publish an unlimited number of packages.

Typically, the number of package versions released on NPM is approximately 800,000. However, in the previous month, the figure exceeded 1.4 million due to the high volume of spam campaigns.

SEO Poisoning

In this attack method, cybercriminals create malicious websites and publish empty packages with links to those malicious websites. Since the open source ecosystems are highly reputed on search engines, any new open-source packages and their descriptions inherit this good reputation and become well-indexed on search engines, making them more visible to unsuspecting users.

Denial of Service

The unstoppable load created by those automated scripts made NPM unstable with sporadic “Service Unavailable” errors. I can witness in the past week it happened to me and my colleagues many times.

“Service Unavailable” errors reported globally by frustrated users.

Spam Campaigns

We mapped several campaigns, and we believe they are all likely operated by the same threat actor, although we can’t confirm that at this time. It’s possible that there are several threat actors, each operating a campaign individually.

The concept is simple. Each package contains nothing but a readme file. This readme file is displayed on the package’s page and contains a unique, short link to another website with the context of the original npm package.

Malware Infection Campaign

This campaign’s goal is to infect the victim with a malicious .exe file. The bait is tempting illegal warez description. Most likely the victims are going to search and land on those npm pages.

Upon clicking on the short link, there is a custom website that appears to be legitimate but is hosted on the threat actor’s infrastructure, offering a download of the warez software.

This downloads a password-encrypted zip file which when extracted, creates a zero-padded .exe file size of ~600MB. This technique is used to avoid detection by EDRs.

We reduced the file size using the “dd” command to ~10mb.

dd if=Install.exe of=Install-trim.exe bs=1024 count=10240

We then analyzed the malware in AnyRun where we observed a variety of tactics employed by the threat actors. These tactics include DLL side-loading, virtualization/sandbox evasion, disable tools and firewalls, drop of tools such as Glupteba, RedLine, Smoke Loader, xmrig and more to steal credentials and to mine cryptocurrency.

AliExpress Referral Scam Campaign

As we covered it in this report, the attackers linked to retail websites such as AliExpress using referral IDs created by them, thus profiting from the referral rewards.

Crypto Scam Campaign

In this case, the attackers invited Russian users to join a Telegram channel specialize in crypto. There are all kind of keywords.

Summary

The scale of this campaign is significant. The load caused NPM to become unstable with sporadic “Service Unavailable” errors.

The battle against threat actors poisoning our software supply chain ecosystem continues to be challenging, as attackers constantly adapt and surprise the industry with new and unexpected techniques.

IMHO NPM should apply anti-bot techniques specifically in the flow of user creation. That might help prevent such automated campaigns.

If you would like access to the original metadata or samples from this phishing campaign, please feel free to send an email to supplychainsecurity@checkmarx.com. Our team will be happy to provide you with the information you need.

IOC

beelowers[.]com
api2[.]check-data.xyz
aapu[.]at
sun6–20[.]userapi.com
sun6–22[.]userapi.com
iplis[.]ru
potunulit[.]org
server13[.]cdneurops.pics
bebekmanti[.]com
hxxp://208.67.104.60/api/tracemap.php
hxxp://208.67.104.60/api/firegate.php
hxxp://45.12.253.74/pineapple.php?pub=mixinte
hxxp://163.123.143.4/download/Service_.vmp
hxxp://194.110.203.101/puta/brazilx86.exe
hxxp://163.123.143.4/download/Service.vmp
hxxp://193.233.20.35/gallery/photo_007.exe
hxxp://hugersi.com/dl/6523.exe
hxxp://ji.ghwiwwff.com/m/oskg25
hxxp://94.142.138.113/api/tracemap.php
hxxp://163.123.143.4/download/WWW14.bmp
hxxp://94.142.138.131/api/tracemap.php
hxxp://94.142.138.113/api/firecom.php
hxxp://94.142.138.131/api/firegate.php
hxxp://230320051222585.btl.jbc75.shop/f/fsbm0320.exe
hxxp://15.204.49.142/files/123.exe
hxxp://potunulit.org/
hxxp://193.233.20.29/games/category/index.php
hxxp://45.12.253.72/default/puk.php
hxxp://193.233.20.29/games/category/Plugins/cred.dll
hxxp://45.12.253.75/dll.php
hxxp://65.109.226.91/0ab626f8f67208ad.php
hxxp://aapu.at/tmp/
hxxp://193.233.20.29/games/category/Plugins/clip.dll
hxxp://45.12.253.72/default/stuk.php
hxxp://45.12.253.56/advertisting/plus.php?s=NOSUB&str=mixtwo&substr=mixinte