Poisoned Library Package Used to Install Crypto Mining and Password Stealing Malware

Summary

On 22 October, attackers hijacked the NPM account of the developer of UAParser.js, a library used to detect users’ browser types and operating systems
Category Malware Intelligence
Malware Name *Possibly DanaBot*
Affected OS Windows , Linux
 

Executive Summary

  • On Friday, 22 October 2021, attackers hijacked the NPM account of the developer of UAParser.js.
  • UaParser.js is a library used by web applications to detect information about users’ browser types and operating systems.
  • Attackers abused this library to distribute crypto mining and password-stealing malware over Windows and Linux operating systems.
  • According to the developer's website, this module is used by several big corporations including Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, and Reddit.
 

Information from Technical Analysis

On 22 October 2021, a threat actor released malicious versions of the UAParser.js, a module of the NPM (Node Package Manager). These altered versions of UAParser allow attackers to install crypto miners and password-stealing trojans on Linux and Windows machines.  
The Process
  • An attacker hijacked and exploited the NPM account of the developer of UAParser.js, Faisal Salman.
  • The attacker took advantage of this access to change the library's deployment package by adding instructions to run a new script called preinstall.js. Windows and Linux scripts run by the node.js package, such as preinstall.bat and preinstall.sh, were also included in this package.
  • The hijacker then released 3 new versions with the malicious scripts:
    • 0.7.29
    • 0.8.0
    • 1.0.0
  • When the compromised packages are installed on a user's device, a script checks the OS and launches the shell script preinstall.sh.
  • In Linux, a preinstall.js script checks the operating system.
  • In Windows, a batch file (preinstall.bat), checks the operating system.
 
The Developer’s Statement
  • The developer of UAParser.js Faisal Salman said,”I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don't realize something was up, luckily the effect is quite the contrary). I believe someone was hijacking my npm account and published some compromised packages (0.7.29, 0.8.0, 1.0.0)” in his bug report.
    Detailed Description
    • Linux: If the package is on a Linux device, a preinstall.sh script will be executed to check if the user is located in Russia, Ukraine, Belarus, or Kazakhstan. If the device is not located in those countries, the script will download the jsextension program from 159.148.186.228 (located  in Latvia, Europe) and execute it. The jsextension program is an XMRig Monero miner, which will use only 50% of the device's CPU to avoid being easily detected. This program is also marked as malicious on VirusTotal.
    • Windows: On Windows OS, the XMRig Monero crypto miner will be downloaded, saved as jsextension.exe (VirusTotal) by the batch file (preinstall.bat), and executed. The batch file will also download an sdd.dll file from citationsherbe.at (based in Russia) and save it as create.dll. The downloaded DLL file is a password stealer trojan that steals the passwords stored on the device. Multiple vendors on VirusTotal mark the DLL as “DanaBot”; a large family of banking trojans targeting Windows systems with the aim to steal user credentials stored on the devices. When the DLL is loaded, it will try to steal passwords for a range of programs, including FTP clients, VNC, messaging software, email clients, and browsers.
     

    List of programs targeted by the Stealer

    WinVNC Firefox FTP Control
    Screen Saver 9x Apple Safari NetDrive
    PC Remote Control Remote Desktop Connection Becky
    ASP.NET Account Cisco VPN Client The Bat!
    FreeCall GetRight Outlook
    Vypress Auvis FlashGet/JetCar Eudora
    CamFrog FAR Manager FTP Gmail Notifier
    Win9x NetCache Windows/Total Commander Mail.Ru Agent
    ICQ2003/Lite WS_FTP IncrediMail
    "&RQ, R&Q" CuteFTP Group Mail Free
    Yahoo! Messenger FlashFXP PocoMail
    Digsby FileZilla Forte Agent
    Odigo FTP Commander Scribe
    IM2/Messenger 2 BulletProof FTP Client POP Peeper
    Google Talk SmartFTP Mail Commander
    Faim TurboFTP Windows Live Mail
    MySpaceIM <FFFTP Mozilla Thunderbird
    MSN Messenger CoffeeCup FTP SeaMonkey
    Windows Live Messenger Core FTP Flock
    Paltalk FTP Explorer Download Master
    Excite Private Messenger Frigate3 FTP Internet Download Accelerator
    Gizmo Project SecureFX IEWebCert
    AIM Pro UltraFXP IEAutoCompletePWs
    Pandion FTPRush VPN Accounts
    Trillian Astra WebSitePublisher Miranda
    888Poker BitKinex GAIM
    FullTiltPoker ExpanDrive Pidgin
    PokerStars Classic FTP QIP.Online
    TitanPoker Fling JAJC
    PartyPoker SoftX FTP Client WebCred
    CakePoker Directory Opus Windows Credentials
    UBPoker FTP Uploader MuxaSoft Dialer
    EType Dialer FreeFTP/DirectFTP FlexibleSoft Dialer
    RAS Passwords LeapFTP Dialer Queen
    Internet Explorer WinSCP VDialer
    Chrome 32bit FTP Advanced Dialer
    Opera WebDrive Windows RAS
      The password stealer not only steals passwords from the programs listed above but also runs a PowerShell script that steals passwords from the Windows credential manager.   This hack brings to light the previously unknown dangers of open-source repository poisoning. In October, there were three other NPM-based attacks, all of which attempted to install miners using fake JavaScript libraries that claimed to have the same functionality as the one that was hijacked.  

    Impact & Mitigation

    Impact Mitigation
    • If you’re running any of the malicious versions, then the attackers might have the credentials from multiple services as stated above.
    • Once the attackers have your credentials, they might abuse them to carry out espionage related activities or to cause damage to other projects or files associated with the compromised account.
    • Attackers could also use your system's resources to mine cryptocurrency which could lead to a significant reduction in system performance.
    • We recommend running the commands below on Linux to know if you’re running a malicious version. Users can also check for the existence of “jsextension” and delete it immediately if found. Find / -name "package-lock.json" -exec grep --color -EHni "ua-parser-js-(0.7.29|0.8.0|1.0.0)" {} \; 2>/dev/null
    • Scan Windows devices for a create.dllfile and delete it immediately. If found, it is best to assume that the system was compromised.
    • Windows users should also check the package.json file to know the version they are running and take appropriate actions.
    • Users can also check their network traffic for domains associated with coin mining applications. Refer to the following link to find a list of coin mining applications: https://www.nextron-systems.com/2021/10/24/monero-mining-pool-fqdns/
    • Rotate credentials and access tokens for all services, to curb further compromise of accounts.
    • Upgrade to the patched versions:
      • 0.7.30
      • 0.8.1
      • 1.0.1
     

    TTPs & IOCs

    Indicator_type Data Notes
    SHA256 30ee628504faea18dc99602971aafbc05a0b05dc964797edf49633f67cd178e2 NPM UA-Parser package, containing legitimate UAParser.js 0.7.28 and three malicious payload files
    SHA256 e6cba23d350cb1f049266ddf10f872216f193c5279017408b869539df2e73c83 Malicioius JS install script, detected as JS/BadNode-A
    SHA256 f4c800066e56dd32d20299c451fe6a2b60a3563f7f1915f8ca8db9916d810b5c Malicious .BAT file (BAT/BadNode-A)
    SHA256 21e68b048024ba0cc5a2a94ecbc3a78c626ec7d5d705829a82ea4715131d0509 Malicious Linux shellscript (SH/BadNode-A)
    SHA256 7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5 XMRig Miner (PUA) for Windows
    SHA256 2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd Malicious DLL carrying DanaBot (Mal/EncPk-AQC)
    SHA256 ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e Linux XMRig Miner
    SHA256 bb8ccdcf17761f1e86d8ebbc1a12b123929c48c5eea4739b7619bd53728d412b New version of malicious DLL packer
    Filename preinstall.js Malicioius JS install script, detected as JS/BadNode-A
    Filename preinstall.bat Malicious .BAT file (BAT/BadNode-A)
    Filename preinstall.sh Malicious Linux shellscript (SH/BadNode-A)
    Filename create.dll Copy of sdd.dll packer
    URL https://citationsherbe.at/sdd.dll Malicious DLL download URL
    URL http://159.148.186.228/download/jsextension Linux XMRig Miner download URL
    URL http://159.148.186.228/download/jsextension.exe Windows XMRig Miner download URL
    IP Address 194.76.225.46 C2 for Mal/EncPk-AQC
    IP Address 185.158.250.216:443 C2 for credential stealing malware
    IP Address 45.11.180.153:443 C2 for credential stealing malware
    IP Address 194.76.225.61:443 C2 for credential stealing malware
     

Table of Contents

Request an easy and customized demo for free