Application Security , Next-Generation Technologies & Secure Development , Threat Intelligence
Open-Source Info Stealer RAT Hides in Malicious npm Packages
TurkoRat Capable of Credential Harvesting, Contains Features Such as Wallet GrabberResearchers have identified two legitimate-looking malicious npm packages that concealed an open-source info stealer for two months before being detected and removed.
See Also: 57 Tips to Secure Your Organization
ReversingLabs researchers found the open-source info stealer TurkoRat hiding inside two packages named nodejs-encrypt-agent
and nodejs-cookie-proxy-agent
that were collectively downloaded about 1,200 times in the past two months.
An npm registry is a database of JavaScript packages, comprising software and metadata that are used by open-source developers to support JavaScript code sharing.
TurkoRat is capable of harvesting credentials and website cookies and contains features such as a wallet grabber, which is used for stealing cryptocurrency and its data.
During investigating available packages on public repositories, ReversingLabs researchers identified a number of combinations of malicious behaviors.
They saw open-source packages containing hard-coded IP addresses in their code and executing commands and writing data to files. Usually, such activity turns out to be malicious, the researchers said.
"It is true: None of those capabilities, individually, are malicious. When seen in combination, however, they’re usually supporting malicious functionality. The presence of such suspicious characteristics and behaviors that first caused the npm package nodejs-encrypt-agent
to come to our attention," they said.
The malicious package called nodejs-encrypt-agent
was found masquerading as another legitimate npm module agent-base
, which has over 30 million downloads. Threat actors also added a link to the GitHub page of agent-base
to make it look more authentic.
Threat actors were found mimicking an older version of agent-base
that was published two months prior to the discovery of the malicious package.
This older version 6.0.2 of the agent-base
model that the malicious actors were mimicking had been downloaded over 20 million times.
"High version numbers are popular among malware authors hoping to infiltrate open-source repositories via typosquatting and other supply chain attacks, where hurried developers are often quick to grab the latest edition of a package, as designated by the version number," the researchers said.
While analyzing the nodejs-encrypt-agent
, researchers found that the code and functionality mirrored the agent-base
package.
"There was, however, a small, but very significant difference: the nodejs-encrypt-agent
package contained a portable executable file that, when analyzed by ReversingLabs was found to be malicious," they said.
This PE file gets executed when the package is run and leverages malicious commands hidden in the first few lines of the index.js
file.
Some of the key malicious behaviors identified include its ability to write to and delete from Windows system directories, execute commands, and tamper with DNS settings, among others.
"The list of malicious or suspicious behaviors observed was long, with features designed to steal sensitive information from infected systems including user login credentials and crypto wallets as well as fool or defeat sandbox environments and debuggers that are used to analyze malicious files," the researchers said.
Discovering TurkoRat
When all the JavaScript files had been extracted and the researchers looked at previous versions of the nodejs-encrypt-agent
package, they uncovered TurkoRat. The researchers confirmed their findings by correlating the JavaScript files extracted from the PE to the files found in the TurkoRat GitHub repository.
TurkoRat can be customized in the build to alter the configuration and capabilities of the finished PE. It can be distributed in various ways, including by hiding it in a legitimate software package, as it was hidden inside the nodejs-encrypt-agent
.
The nodejs-encrypt-agent
was not the only package to carry TurkoRat, but researchers uncovered the npm package nodejs-cookie-proxy-agent
, which disguised "it as a dependency, axios-proxy
, that was imported into every file found inside nodejs-cookie-proxy-agent
versions 1.1.0, 1.2.0, 1.2.1 and 1.2.2."
Researchers found the code in the nodejs-encrypt-agent
and the node-cookie-proxy-agent
, which is not as popular as agent-base
but continuously downloaded throughout last year.
"With the legitimate and malign packages only differing by two letters, this is a clear example of typosquatting, making it very possible that a developer would mistakenly download and use the malicious nodejs-cookie-proxy-agent
in place of the legitimate node-cookie-proxy-agent
," the researchers said.