In the malicious NPM package, the variable aj was assigned a malicious script that defined a makeLog function used to send messages to a malicious server. The setHeader function attempts to detect whether the script is running in a virtual machine environment by checking system information and sending the information to the malicious server (172[.]86[.]64[.]67).
Moreover, the malicious code attempts to install the socket.io-client library using the npm install command to establish a Socket connection with the C&C server (172[.]86[.]64[.]67), listening for "command" messages from the malicious server. Once a command is received, it will be executed using exec(), and the execution result will be sent back to the malicious server. The malicious server can also obtain the client's current environment information through the "whour" command.
The variable ak was assigned a malicious script that primarily aims to steal sensitive data from browsers and users, and send the stolen sensitive data back to the malicious server.
The variable al was also assigned a malicious script that mainly scans the target computer's file system for sensitive data files and sends the stolen sensitive data to the malicious server.
The malicious script assigned to variable am implemented functions such as keylogging, screenshot capture, clipboard monitoring, and would send the data back to the malicious server.
We also noticed that two GitHub accounts Forked this repository, and after analyzing these Fork projects, we found the initial [email protected] malicious NPM package in the package.json file.
Indicators of Compromise (IoCs)
IPs:
144[.]172[.]112[.]106
172[.]86[.]64[.]67
URLs:
http://144[.]172[.]112[.]106:1224/pdown
http://144[.]172[.]112[.]106:1224/client/5346/64
https://api[.]npoint[.]io/96979650f5739bcbaebb
http://172[.]86[.]64[.]67/api/service/makelog
http://172[.]86[.]64[.]67/api/service/process/
http://172[.]86[.]64[.]67:4181
http://172[.]86[.]64[.]67:4188/upload
http://172[.]86[.]64[.]67:4186/upload
http://172[.]86[.]64[.]67:4187/upload
SHA256:
af46c7917f04a9039eb0b439a7615ec07b7ad88048cb24fe23c454c16dffcd57 - rtk-logger-1.11.5.tgz
GitHub repositories using [email protected]:
https://github[.]com/EvaCodes-Community/UltraX
GitHub repositories using [email protected]:
https://github[.]com/kylengn/UltraX
https://github[.]com/taqveemahsan/UltraX
https://github[.]com/zinping/Pain_project
Malicious NPM packages:
https://www[.]npmjs[.]com/package/rtk-logger
https://www[.]npmjs[.]com/package/redux-ace
NPM package download address
https://registry[.]npmjs[.]org/rtk-logger/-/rtk-logger-1.11.5.tgz
Summary
In this incident, the attackers disguised themselves as a legitimate open-source project (EvaCodes-Community/UltraX) to induce interviewees to download and run malicious code. If the interviewee runs the project containing the malicious NPM package without any precautions, it could lead to sensitive data leakage and asset theft. We recommend that developers and users be highly vigilant about unknown GitHub projects, and if debugging is necessary, it is advised to run and debug in an isolated environment without sensitive data.
Disclaimer: As a blockchain information platform, the articles published on this site represent only the personal views of the authors and guests, and are not related to the Web3Caff stance. The information in the articles is for reference only and does not constitute any investment advice or offer. Please comply with the relevant laws and regulations of your country or region.
Welcome to join the Web3Caff official community: X(Twitter) account丨Web3Caff Research X(Twitter) account丨WeChat reader group丨WeChat official account
