Press ESC to close

Malicious Obfuscated NPM Package Disguised as an Ethereum Tool Deploys Quasar RAT

CategoryDetails
Threat ActorsUser “solidit-dev-416” on npm; possibly tied to broader campaigns using Quasar RAT.
Campaign Overview• Malicious npm package (ethereumvulncontracthandler) deploys Quasar RAT to compromise developer systems.
Target Regions (Or Victims)• Developers using npm, especially those involved with Ethereum smart contracts.
Methodology• Disguised as a legitimate npm package.
• Obfuscated code retrieves and executes a malicious script.
• Deploys Quasar RAT to establish persistence and control.
Product Targeted• Ethereum developers and projects.
• GitHub repositories promoting pirating software and cryptocurrency bots.
Malware ReferenceQuasar RAT (first released on GitHub in 2014).
Tools Used• Malicious npm package.
• Obfuscation techniques (Base64, XOR encoding, minification).
• PowerShell commands for payload execution.
Vulnerabilities Exploited• Trust in npm registry.
• Developers’ reliance on GitHub stars as a quality signal.
TTPs• Avoids sandbox environments.
• Executes PowerShell commands to deploy malware.
• Contacts C2 server for instructions and exfiltration.
AttributionNot explicitly attributed, but uses Quasar RAT, a known tool for cybercrime and espionage.
Recommendations• Scrutinize npm packages before installation.
• Monitor unusual PowerShell activity.
• Use endpoint protection to detect and block RATs.
• Avoid relying solely on GitHub stars to assess repository trustworthiness.
SourceThe Hackers News

Read full article: https://thehackernews.com/2025/01/malicious-obfuscated-npm-package.html

The above summary has been generated by an AI language model

Stay Updated with Our Newsletter

  

Source: TheHackersNews

Published on: January 4, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *