Category |
Malware Intelligence |
Malware Name |
*Possibly DanaBot* |
Affected OS |
Windows , Linux |
Executive Summary
- On Friday, 22 October 2021, attackers hijacked the NPM account of the developer of UAParser.js.
- UaParser.js is a library used by web applications to detect information about users’ browser types and operating systems.
- Attackers abused this library to distribute crypto mining and password-stealing malware over Windows and Linux operating systems.
- According to the developer’s website, this module is used by several big corporations including Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, and Reddit.
Information from Technical Analysis
On 22 October 2021, a threat actor released malicious versions of the UAParser.js, a module of the NPM (Node Package Manager). These altered versions of UAParser allow attackers to install crypto miners and password-stealing trojans on Linux and Windows machines.
The Process
- An attacker hijacked and exploited the NPM account of the developer of UAParser.js, Faisal Salman.
- The attacker took advantage of this access to change the library’s deployment package by adding instructions to run a new script called preinstall.js. Windows and Linux scripts run by the node.js package, such as preinstall.bat and preinstall.sh, were also included in this package.
- The hijacker then released 3 new versions with the malicious scripts:
- When the compromised packages are installed on a user’s device, a script checks the OS and launches the shell script preinstall.sh.
- In Linux, a preinstall.js script checks the operating system.
- In Windows, a batch file (preinstall.bat), checks the operating system.
The Developer’s Statement
- The developer of UAParser.js Faisal Salman said,”I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don’t realize something was up, luckily the effect is quite the contrary). I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0)” in his bug report.
Detailed Description
- Linux: If the package is on a Linux device, a preinstall.sh script will be executed to check if the user is located in Russia, Ukraine, Belarus, or Kazakhstan. If the device is not located in those countries, the script will download the jsextension program from 159.148.186.228 (located in Latvia, Europe) and execute it. The jsextension program is an XMRig Monero miner, which will use only 50% of the device’s CPU to avoid being easily detected. This program is also marked as malicious on VirusTotal.
- Windows: On Windows OS, the XMRig Monero crypto miner will be downloaded, saved as jsextension.exe (VirusTotal) by the batch file (preinstall.bat), and executed. The batch file will also download an sdd.dll file from citationsherbe.at (based in Russia) and save it as create.dll. The downloaded DLL file is a password stealer trojan that steals the passwords stored on the device. Multiple vendors on VirusTotal mark the DLL as “DanaBot”; a large family of banking trojans targeting Windows systems with the aim to steal user credentials stored on the devices. When the DLL is loaded, it will try to steal passwords for a range of programs, including FTP clients, VNC, messaging software, email clients, and browsers.
List of programs targeted by the Stealer
WinVNC |
Firefox |
FTP Control |
Screen Saver 9x |
Apple Safari |
NetDrive |
PC Remote Control |
Remote Desktop Connection |
Becky |
ASP.NET Account |
Cisco VPN Client |
The Bat! |
FreeCall |
GetRight |
Outlook |
Vypress Auvis |
FlashGet/JetCar |
Eudora |
CamFrog |
FAR Manager FTP |
Gmail Notifier |
Win9x NetCache |
Windows/Total Commander |
Mail.Ru Agent |
ICQ2003/Lite |
WS_FTP |
IncrediMail |
“&RQ, R&Q” |
CuteFTP |
Group Mail Free |
Yahoo! Messenger |
FlashFXP |
PocoMail |
Digsby |
FileZilla |
Forte Agent |
Odigo |
FTP Commander |
Scribe |
IM2/Messenger 2 |
BulletProof FTP Client |
POP Peeper |
Google Talk |
SmartFTP |
Mail Commander |
Faim |
TurboFTP |
Windows Live Mail |
MySpaceIM |
<FFFTP |
Mozilla Thunderbird |
MSN Messenger |
CoffeeCup FTP |
SeaMonkey |
Windows Live Messenger |
Core FTP |
Flock |
Paltalk |
FTP Explorer |
Download Master |
Excite Private Messenger |
Frigate3 FTP |
Internet Download Accelerator |
Gizmo Project |
SecureFX |
IEWebCert |
AIM Pro |
UltraFXP |
IEAutoCompletePWs |
Pandion |
FTPRush |
VPN Accounts |
Trillian Astra |
WebSitePublisher |
Miranda |
888Poker |
BitKinex |
GAIM |
FullTiltPoker |
ExpanDrive |
Pidgin |
PokerStars |
Classic FTP |
QIP.Online |
TitanPoker |
Fling |
JAJC |
PartyPoker |
SoftX FTP Client |
WebCred |
CakePoker |
Directory Opus |
Windows Credentials |
UBPoker |
FTP Uploader |
MuxaSoft Dialer |
EType Dialer |
FreeFTP/DirectFTP |
FlexibleSoft Dialer |
RAS Passwords |
LeapFTP |
Dialer Queen |
Internet Explorer |
WinSCP |
VDialer |
Chrome |
32bit FTP |
Advanced Dialer |
Opera |
WebDrive |
Windows RAS |
The password stealer not only steals passwords from the programs listed above but also runs a PowerShell script that steals passwords from the Windows credential manager.
This hack brings to light the previously unknown dangers of open-source repository poisoning. In October, there were three other NPM-based attacks, all of which attempted to install miners using fake JavaScript libraries that claimed to have the same functionality as the one that was hijacked.
Impact & Mitigation
Impact |
Mitigation |
- If you’re running any of the malicious versions, then the attackers might have the credentials from multiple services as stated above.
- Once the attackers have your credentials, they might abuse them to carry out espionage related activities or to cause damage to other projects or files associated with the compromised account.
- Attackers could also use your system’s resources to mine cryptocurrency which could lead to a significant reduction in system performance.
|
- We recommend running the commands below on Linux to know if you’re running a malicious version. Users can also check for the existence of “jsextension” and delete it immediately if found.
Find / -name “package-lock.json” -exec grep –color -EHni “ua-parser-js-(0.7.29|0.8.0|1.0.0)” {} \; 2>/dev/null
- Scan Windows devices for a create.dllfile and delete it immediately. If found, it is best to assume that the system was compromised.
- Windows users should also check the package.json file to know the version they are running and take appropriate actions.
- Users can also check their network traffic for domains associated with coin mining applications. Refer to the following link to find a list of coin mining applications: https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
- Rotate credentials and access tokens for all services, to curb further compromise of accounts.
- Upgrade to the patched versions:
|
TTPs & IOCs
Indicator_type |
Data |
Notes |
SHA256 |
30ee628504faea18dc99602971aafbc05a0b05dc964797edf49633f67cd178e2 |
NPM UA-Parser package, containing legitimate UAParser.js 0.7.28 and three malicious payload files |
SHA256 |
e6cba23d350cb1f049266ddf10f872216f193c5279017408b869539df2e73c83 |
Malicioius JS install script, detected as JS/BadNode-A |
SHA256 |
f4c800066e56dd32d20299c451fe6a2b60a3563f7f1915f8ca8db9916d810b5c |
Malicious .BAT file (BAT/BadNode-A) |
SHA256 |
21e68b048024ba0cc5a2a94ecbc3a78c626ec7d5d705829a82ea4715131d0509 |
Malicious Linux shellscript (SH/BadNode-A) |
SHA256 |
7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5 |
XMRig Miner (PUA) for Windows |
SHA256 |
2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd |
Malicious DLL carrying DanaBot (Mal/EncPk-AQC) |
SHA256 |
ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e |
Linux XMRig Miner |
SHA256 |
bb8ccdcf17761f1e86d8ebbc1a12b123929c48c5eea4739b7619bd53728d412b |
New version of malicious DLL packer |
Filename |
preinstall.js |
Malicioius JS install script, detected as JS/BadNode-A |
Filename |
preinstall.bat |
Malicious .BAT file (BAT/BadNode-A) |
Filename |
preinstall.sh |
Malicious Linux shellscript (SH/BadNode-A) |
Filename |
create.dll |
Copy of sdd.dll packer |
URL |
https://citationsherbe.at/sdd.dll |
Malicious DLL download URL |
URL |
http://159.148.186.228/download/jsextension |
Linux XMRig Miner download URL |
URL |
http://159.148.186.228/download/jsextension.exe |
Windows XMRig Miner download URL |
IP Address |
194.76.225.46 |
C2 for Mal/EncPk-AQC |
IP Address |
185.158.250.216:443 |
C2 for credential stealing malware |
IP Address |
45.11.180.153:443 |
C2 for credential stealing malware |
IP Address |
194.76.225.61:443 |
C2 for credential stealing malware |