fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Popular NPM Library Hijacked To Install Password-stealers, Miners

Popular NPM Library Hijacked To Install Password-stealers, Miners

Hackers hijacked the popular UA-Parser-JS NPM library, with millions of downloads a week, to infect Linux and Windows devices with cryptominers and password-stealing trojans in a supply-chain attack.

The UA-Parser-JS library is used to parse a browser’s user agent to identify a visitor’s browser, engine, OS, CPU, and Device type/model.

The library is immensely popular, with millions of downloads a week and over 24 million downloads this month so far. In addition, the library is used in over a thousand other projects, including those by Facebook, Microsoft, Amazon, Instagram, Google, Slack, Mozilla, Discord, Elastic, Intuit, Reddit, and many more well-known companies.

Also Read: Facts About Accountability PDF That You Need to Know About

UA-Parser-JS downloaded millions of times per week
UA-Parser-JS downloaded millions of times per week
Source: NPM-stat.com

UA-Parser-JS project hijacked to install malware

On October 22nd, a threat actor published malicious versions of the UA-Parser-JS NPM library to install cryptominers and password-stealing trojans on Linux and Windows devices.

According to the developer, his NPM account was hijacked and used to deploy the three malicious versions of the library.

“I noticed something unusual when my email was suddenly flooded by spams from hundreds of websites (maybe so I don’t realize something was up, luckily the effect is quite the contrary),” explained Faisal Salman, the developer of UA-Parser-JS, in a bug report.

“I believe someone was hijacking my npm account and published some compromised packages (0.7.290.8.01.0.0) which will probably install malware as can be seen from the diff here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0.”

The affected versions and their patched counterparts are:

Malicious versionFixed version
0.7.290.7.30
0.8.00.8.1
1.0.01.0.1

From copies of the malicious NPMs shared with BleepingComputer by Sonatype, we can better understand the attack.

When the compromised packages are installed on a user’s device, a preinstall.js script will check the type of operating system used on the device and either launch a Linux shell script or a Windows batch file.

Also Read: 5 Brief Concepts Between Data Protection Directive vs GDPR

preinstall.js script used to check operating system type
preinstall.js script used to check operating system type

If the package is on a Linux device, a preinstall.sh script will be executed to check if the user is located in Russia, Ukraine, Belarus, and Kazakhstan. If the device is not located in those countries, the script will download the jsextension [VirusTotal] program from 159[.]148[.]186[.]228 and execute it.

The jsextension program is an XMRig Monero miner, which will use only 50% of the device’s CPU to avoid being easily detected.

Linux shell script to install the miner
Linux shell script to install the miner

For Windows devices, the batch file will also download the XMRig Monero cryptominer and save it as jsextension.exe [VirusTotal] and execute it. In addition, the batch file will download an sdd.dll file [VirusTotal] from citationsherbe[.]at and save it as create.dll.

Windows batch file to install the cryptominer
Windows batch file to install the cryptominer

The downloaded DLL is a password-stealing trojan (possibly DanaBot) that will attempt to steal the passwords stored on the device.

When the DLL is loaded using the regsvr32.exe -s create.dll command, it will attempt to steal passwords for a wide variety of programs, including FTP clients, VNC, messaging software, email clients, and browsers.

A list of targeted programs can be found in the table below.

WinVNCFirefoxFTP Control
Screen Saver 9xApple SafariNetDrive
PC Remote ControlRemote Desktop ConnectionBecky
ASP.NET AccountCisco VPN ClientThe Bat!
FreeCallGetRightOutlook
Vypress AuvisFlashGet/JetCarEudora
CamFrogFAR Manager FTPGmail Notifier
Win9x NetCacheWindows/Total CommanderMail.Ru Agent
ICQ2003/LiteWS_FTPIncrediMail
“&RQ, R&Q”CuteFTPGroup Mail Free
Yahoo! MessengerFlashFXPPocoMail
DigsbyFileZillaForte Agent
OdigoFTP CommanderScribe
IM2/Messenger 2BulletProof FTP ClientPOP Peeper
Google TalkSmartFTPMail Commander
FaimTurboFTPWindows Live Mail
MySpaceIMFFFTPMozilla Thunderbird
MSN MessengerCoffeeCup FTPSeaMonkey
Windows Live MessengerCore FTPFlock
PaltalkFTP ExplorerDownload Master
Excite Private MessengerFrigate3 FTPInternet Download Accelerator
Gizmo ProjectSecureFXIEWebCert
AIM ProUltraFXPIEAutoCompletePWs
PandionFTPRushVPN Accounts
Trillian AstraWebSitePublisherMiranda
888PokerBitKinexGAIM
FullTiltPokerExpanDrivePidgin
PokerStarsClassic FTPQIP.Online
TitanPokerFlingJAJC
PartyPokerSoftX FTP ClientWebCred
CakePokerDirectory OpusWindows Credentials
UBPokerFTP UploaderMuxaSoft Dialer
EType DialerFreeFTP/DirectFTPFlexibleSoft Dialer
RAS PasswordsLeapFTPDialer Queen
Internet ExplorerWinSCPVDialer
Chrome32bit FTPAdvanced Dialer
OperaWebDriveWindows RAS

In addition to stealing passwords from the above programs, the DLL will execute a PowerShell script to steal passwords from the Windows credential manager, as shown below.

Stealing stored passwords from Windows
Stealing stored passwords from Windows

This attack appears to have been conducted by the same threat actor behind other malicious NPM libraries discovered this week.

Researchers from open-source security firm Sonatype discovered three malicious NPM libraries used to deploy cryptominers on Linux and Windows devices in an almost identical manner.

What should UA-Parser-JS users do?

Due to the widespread impact of this supply-chain attack, it is strongly advised that all users of the UA-Parser-JS library check their projects for malicious software.

This includes checking for the existence of either jsextension.exe (Windows) or jsextension (Linux) and deleting them if they are found.

For Windows users, you should scan your device for a create.dll file and delete it immediately.

While only Windows was infected with a password-stealing Trojan, it is wise for Linux users to also assume their device was fully compromised.

Due to this, all infected Linux and Windows users should also change their passwords, keys, and refresh tokens, as they were likely compromised and sent to the threat actor.

While changing your passwords and access tokens will likely be a huge undertaking, by not doing so, the threat actor can compromise other accounts, including any projects you develop for further supply-chain attacks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us