Category | Malware Intelligence |
Malware Name | *Possibly DanaBot* |
Affected OS | Windows , Linux |
Executive Summary
- On Friday, 22 October 2021, attackers hijacked the NPM account of the developer of UAParser.js.
- UaParser.js is a library used by web applications to detect information about users’ browser types and operating systems.
- Attackers abused this library to distribute crypto mining and password-stealing malware over Windows and Linux operating systems.
- According to the developer's website, this module is used by several big corporations including Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, and Reddit.
Information from Technical Analysis
On 22 October 2021, a threat actor released malicious versions of the UAParser.js, a module of the NPM (Node Package Manager). These altered versions of UAParser allow attackers to install crypto miners and password-stealing trojans on Linux and Windows machines.The Process
- An attacker hijacked and exploited the NPM account of the developer of UAParser.js, Faisal Salman.
- The attacker took advantage of this access to change the library's deployment package by adding instructions to run a new script called preinstall.js. Windows and Linux scripts run by the node.js package, such as preinstall.bat and preinstall.sh, were also included in this package.
- The hijacker then released 3 new versions with the malicious scripts:
- 0.7.29
- 0.8.0
- 1.0.0
- When the compromised packages are installed on a user's device, a script checks the OS and launches the shell script preinstall.sh.
- In Linux, a preinstall.js script checks the operating system.
- In Windows, a batch file (preinstall.bat), checks the operating system.
The Developer’s Statement
- The developer of UAParser.js Faisal Salman said,”I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don't realize something was up, luckily the effect is quite the contrary). I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0)” in his bug report.
Detailed Description
- Linux: If the package is on a Linux device, a preinstall.sh script will be executed to check if the user is located in Russia, Ukraine, Belarus, or Kazakhstan. If the device is not located in those countries, the script will download the jsextension program from 159.148.186.228 (located in Latvia, Europe) and execute it. The jsextension program is an XMRig Monero miner, which will use only 50% of the device's CPU to avoid being easily detected. This program is also marked as malicious on VirusTotal.
- Windows: On Windows OS, the XMRig Monero crypto miner will be downloaded, saved as jsextension.exe (VirusTotal) by the batch file (preinstall.bat), and executed. The batch file will also download an sdd.dll file from citationsherbe.at (based in Russia) and save it as create.dll. The downloaded DLL file is a password stealer trojan that steals the passwords stored on the device. Multiple vendors on VirusTotal mark the DLL as “DanaBot”; a large family of banking trojans targeting Windows systems with the aim to steal user credentials stored on the devices. When the DLL is loaded, it will try to steal passwords for a range of programs, including FTP clients, VNC, messaging software, email clients, and browsers.
List of programs targeted by the Stealer
WinVNC Firefox FTP Control Screen Saver 9x Apple Safari NetDrive PC Remote Control Remote Desktop Connection Becky ASP.NET Account Cisco VPN Client The Bat! FreeCall GetRight Outlook Vypress Auvis FlashGet/JetCar Eudora CamFrog FAR Manager FTP Gmail Notifier Win9x NetCache Windows/Total Commander Mail.Ru Agent ICQ2003/Lite WS_FTP IncrediMail "&RQ, R&Q" CuteFTP Group Mail Free Yahoo! Messenger FlashFXP PocoMail Digsby FileZilla Forte Agent Odigo FTP Commander Scribe IM2/Messenger 2 BulletProof FTP Client POP Peeper Google Talk SmartFTP Mail Commander Faim TurboFTP Windows Live Mail MySpaceIM <FFFTP Mozilla Thunderbird MSN Messenger CoffeeCup FTP SeaMonkey Windows Live Messenger Core FTP Flock Paltalk FTP Explorer Download Master Excite Private Messenger Frigate3 FTP Internet Download Accelerator Gizmo Project SecureFX IEWebCert AIM Pro UltraFXP IEAutoCompletePWs Pandion FTPRush VPN Accounts Trillian Astra WebSitePublisher Miranda 888Poker BitKinex GAIM FullTiltPoker ExpanDrive Pidgin PokerStars Classic FTP QIP.Online TitanPoker Fling JAJC PartyPoker SoftX FTP Client WebCred CakePoker Directory Opus Windows Credentials UBPoker FTP Uploader MuxaSoft Dialer EType Dialer FreeFTP/DirectFTP FlexibleSoft Dialer RAS Passwords LeapFTP Dialer Queen Internet Explorer WinSCP VDialer Chrome 32bit FTP Advanced Dialer Opera WebDrive Windows RAS Impact & Mitigation
Impact Mitigation - If you’re running any of the malicious versions, then the attackers might have the credentials from multiple services as stated above.
- Once the attackers have your credentials, they might abuse them to carry out espionage related activities or to cause damage to other projects or files associated with the compromised account.
- Attackers could also use your system's resources to mine cryptocurrency which could lead to a significant reduction in system performance.
- We recommend running the commands below on Linux to know if you’re running a malicious version. Users can also check for the existence of “jsextension” and delete it immediately if found. Find / -name "package-lock.json" -exec grep --color -EHni "ua-parser-js-(0.7.29|0.8.0|1.0.0)" {} \; 2>/dev/null
- Scan Windows devices for a create.dllfile and delete it immediately. If found, it is best to assume that the system was compromised.
- Windows users should also check the package.json file to know the version they are running and take appropriate actions.
- Users can also check their network traffic for domains associated with coin mining applications. Refer to the following link to find a list of coin mining applications: https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
- Rotate credentials and access tokens for all services, to curb further compromise of accounts.
- Upgrade to the patched versions:
- 0.7.30
- 0.8.1
- 1.0.1
TTPs & IOCs
Indicator_type Data Notes SHA256 30ee628504faea18dc99602971aafbc05a0b05dc964797edf49633f67cd178e2 NPM UA-Parser package, containing legitimate UAParser.js 0.7.28 and three malicious payload files SHA256 e6cba23d350cb1f049266ddf10f872216f193c5279017408b869539df2e73c83 Malicioius JS install script, detected as JS/BadNode-A SHA256 f4c800066e56dd32d20299c451fe6a2b60a3563f7f1915f8ca8db9916d810b5c Malicious .BAT file (BAT/BadNode-A) SHA256 21e68b048024ba0cc5a2a94ecbc3a78c626ec7d5d705829a82ea4715131d0509 Malicious Linux shellscript (SH/BadNode-A) SHA256 7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5 XMRig Miner (PUA) for Windows SHA256 2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd Malicious DLL carrying DanaBot (Mal/EncPk-AQC) SHA256 ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e Linux XMRig Miner SHA256 bb8ccdcf17761f1e86d8ebbc1a12b123929c48c5eea4739b7619bd53728d412b New version of malicious DLL packer Filename preinstall.js Malicioius JS install script, detected as JS/BadNode-A Filename preinstall.bat Malicious .BAT file (BAT/BadNode-A) Filename preinstall.sh Malicious Linux shellscript (SH/BadNode-A) Filename create.dll Copy of sdd.dll packer URL https://citationsherbe.at/sdd.dll Malicious DLL download URL URL http://159.148.186.228/download/jsextension Linux XMRig Miner download URL URL http://159.148.186.228/download/jsextension.exe Windows XMRig Miner download URL IP Address 194.76.225.46 C2 for Mal/EncPk-AQC IP Address 185.158.250.216:443 C2 for credential stealing malware IP Address 45.11.180.153:443 C2 for credential stealing malware IP Address 194.76.225.61:443 C2 for credential stealing malware