Category | Details |
---|---|
Threat Actors | User “solidit-dev-416” on npm; possibly tied to broader campaigns using Quasar RAT. |
Campaign Overview | • Malicious npm package (ethereumvulncontracthandler) deploys Quasar RAT to compromise developer systems. |
Target Regions (Or Victims) | • Developers using npm, especially those involved with Ethereum smart contracts. |
Methodology | • Disguised as a legitimate npm package. • Obfuscated code retrieves and executes a malicious script. • Deploys Quasar RAT to establish persistence and control. |
Product Targeted | • Ethereum developers and projects. • GitHub repositories promoting pirating software and cryptocurrency bots. |
Malware Reference | Quasar RAT (first released on GitHub in 2014). |
Tools Used | • Malicious npm package. • Obfuscation techniques (Base64, XOR encoding, minification). • PowerShell commands for payload execution. |
Vulnerabilities Exploited | • Trust in npm registry. • Developers’ reliance on GitHub stars as a quality signal. |
TTPs | • Avoids sandbox environments. • Executes PowerShell commands to deploy malware. • Contacts C2 server for instructions and exfiltration. |
Attribution | Not explicitly attributed, but uses Quasar RAT, a known tool for cybercrime and espionage. |
Recommendations | • Scrutinize npm packages before installation. • Monitor unusual PowerShell activity. • Use endpoint protection to detect and block RATs. • Avoid relying solely on GitHub stars to assess repository trustworthiness. |
Source | The Hackers News |
Read full article: https://thehackernews.com/2025/01/malicious-obfuscated-npm-package.html
The above summary has been generated by an AI language model
Leave a Reply