Executive Summary

• On Friday, 22 October 2021, attackers hijacked the NPM account of the developer of UAParser.js.
• UaParser.js is a library used by web applications to detect information about users’ browser types and operating systems.
• Attackers abused this library to distribute crypto mining and password-stealing malware over Windows and Linux operating systems.
• According to the developer's website, this module is used by several big corporations including Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, and Reddit.

Information from Technical Analysis

The Process

• An attacker hijacked and exploited the NPM account of the developer of UAParser.js, Faisal Salman.
• The attacker took advantage of this access to change the library's deployment package by adding instructions to run a new script called preinstall.js. Windows and Linux scripts run by the node.js package, such as preinstall.bat and preinstall.sh, were also included in this package.
• The hijacker then released 3 new versions with the malicious scripts:
  • 0.7.29
  • 0.8.0
  • 1.0.0
• When the compromised packages are installed on a user's device, a script checks the OS and launches the shell script preinstall.sh.
• In Linux, a preinstall.js script checks the operating system.
• In Windows, a batch file (preinstall.bat), checks the operating system.

The Developer’s Statement

• The developer of UAParser.js Faisal Salman said,”I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don't realize something was up, luckily the effect is quite the contrary). I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0)” in his bug report.

  Detailed Description

  • Linux: If the package is on a Linux device, a preinstall.sh script will be executed to check if the user is located in Russia, Ukraine, Belarus, or Kazakhstan. If the device is not located in those countries, the script will download the jsextension program from 159.148.186.228 (located  in Latvia, Europe) and execute it. The jsextension program is an XMRig Monero miner, which will use only 50% of the device's CPU to avoid being easily detected. This program is also marked as malicious on VirusTotal.
  • Windows: On Windows OS, the XMRig Monero crypto miner will be downloaded, saved as jsextension.exe (VirusTotal) by the batch file (preinstall.bat), and executed. The batch file will also download an sdd.dll file from citationsherbe.at (based in Russia) and save it as create.dll. The downloaded DLL file is a password stealer trojan that steals the passwords stored on the device. Multiple vendors on VirusTotal mark the DLL as “DanaBot”; a large family of banking trojans targeting Windows systems with the aim to steal user credentials stored on the devices. When the DLL is loaded, it will try to steal passwords for a range of programs, including FTP clients, VNC, messaging software, email clients, and browsers.
   

  List of programs targeted by the Stealer

  WinVNC	Firefox	FTP Control
  Screen Saver 9x	Apple Safari	NetDrive
  PC Remote Control	Remote Desktop Connection	Becky
  ASP.NET Account	Cisco VPN Client	The Bat!
  FreeCall	GetRight	Outlook
  Vypress Auvis	FlashGet/JetCar	Eudora
  CamFrog	FAR Manager FTP	Gmail Notifier
  Win9x NetCache	Windows/Total Commander	Mail.Ru Agent
  ICQ2003/Lite	WS_FTP	IncrediMail
  "&RQ, R&Q"	CuteFTP	Group Mail Free
  Yahoo! Messenger	FlashFXP	PocoMail
  Digsby	FileZilla	Forte Agent
  Odigo	FTP Commander	Scribe
  IM2/Messenger 2	BulletProof FTP Client	POP Peeper
  Google Talk	SmartFTP	Mail Commander
  Faim	TurboFTP	Windows Live Mail
  MySpaceIM	<FFFTP	Mozilla Thunderbird
  MSN Messenger	CoffeeCup FTP	SeaMonkey
  Windows Live Messenger	Core FTP	Flock
  Paltalk	FTP Explorer	Download Master
  Excite Private Messenger	Frigate3 FTP	Internet Download Accelerator
  Gizmo Project	SecureFX	IEWebCert
  AIM Pro	UltraFXP	IEAutoCompletePWs
  Pandion	FTPRush	VPN Accounts
  Trillian Astra	WebSitePublisher	Miranda
  888Poker	BitKinex	GAIM
  FullTiltPoker	ExpanDrive	Pidgin
  PokerStars	Classic FTP	QIP.Online
  TitanPoker	Fling	JAJC
  PartyPoker	SoftX FTP Client	WebCred
  CakePoker	Directory Opus	Windows Credentials
  UBPoker	FTP Uploader	MuxaSoft Dialer
  EType Dialer	FreeFTP/DirectFTP	FlexibleSoft Dialer
  RAS Passwords	LeapFTP	Dialer Queen
  Internet Explorer	WinSCP	VDialer
  Chrome	32bit FTP	Advanced Dialer
  Opera	WebDrive	Windows RAS

    The password stealer not only steals passwords from the programs listed above but also runs a PowerShell script that steals passwords from the Windows credential manager.   This hack brings to light the previously unknown dangers of open-source repository poisoning. In October, there were three other NPM-based attacks, all of which attempted to install miners using fake JavaScript libraries that claimed to have the same functionality as the one that was hijacked.  

  Impact & Mitigation

  Impact

  Mitigation

  If you’re running any of the malicious versions, then the attackers might have the credentials from multiple services as stated above. Once the attackers have your credentials, they might abuse them to carry out espionage related activities or to cause damage to other projects or files associated with the compromised account. Attackers could also use your system's resources to mine cryptocurrency which could lead to a significant reduction in system performance.

  We recommend running the commands below on Linux to know if you’re running a malicious version. Users can also check for the existence of “jsextension” and delete it immediately if found. Find / -name "package-lock.json" -exec grep --color -EHni "ua-parser-js-(0.7.29|0.8.0|1.0.0)" {} \; 2>/dev/null Scan Windows devices for a create.dllfile and delete it immediately. If found, it is best to assume that the system was compromised. Windows users should also check the package.json file to know the version they are running and take appropriate actions. Users can also check their network traffic for domains associated with coin mining applications. Refer to the following link to find a list of coin mining applications: https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/ Rotate credentials and access tokens for all services, to curb further compromise of accounts. Upgrade to the patched versions: 0.7.30 0.8.1 1.0.1

   

  TTPs & IOCs

  Indicator_type	Data	Notes
  SHA256	30ee628504faea18dc99602971aafbc05a0b05dc964797edf49633f67cd178e2	NPM UA-Parser package, containing legitimate UAParser.js 0.7.28 and three malicious payload files
  SHA256	e6cba23d350cb1f049266ddf10f872216f193c5279017408b869539df2e73c83	Malicioius JS install script, detected as JS/BadNode-A
  SHA256	f4c800066e56dd32d20299c451fe6a2b60a3563f7f1915f8ca8db9916d810b5c	Malicious .BAT file (BAT/BadNode-A)
  SHA256	21e68b048024ba0cc5a2a94ecbc3a78c626ec7d5d705829a82ea4715131d0509	Malicious Linux shellscript (SH/BadNode-A)
  SHA256	7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5	XMRig Miner (PUA) for Windows
  SHA256	2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd	Malicious DLL carrying DanaBot (Mal/EncPk-AQC)
  SHA256	ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e	Linux XMRig Miner
  SHA256	bb8ccdcf17761f1e86d8ebbc1a12b123929c48c5eea4739b7619bd53728d412b	New version of malicious DLL packer
  Filename	preinstall.js	Malicioius JS install script, detected as JS/BadNode-A
  Filename	preinstall.bat	Malicious .BAT file (BAT/BadNode-A)
  Filename	preinstall.sh	Malicious Linux shellscript (SH/BadNode-A)
  Filename	create.dll	Copy of sdd.dll packer
  URL	https://citationsherbe.at/sdd.dll	Malicious DLL download URL
  URL	http://159.148.186.228/download/jsextension	Linux XMRig Miner download URL
  URL	http://159.148.186.228/download/jsextension.exe	Windows XMRig Miner download URL
  IP Address	194.76.225.46	C2 for Mal/EncPk-AQC
  IP Address	185.158.250.216:443	C2 for credential stealing malware
  IP Address	45.11.180.153:443	C2 for credential stealing malware
  IP Address	194.76.225.61:443	C2 for credential stealing malware