Researchers at ReversingLabs discovered a malicious npm package masquerading as the Material Tailwind library. Their finding highlights a new trend for threat actors to install malicious code, dubbed impostor packages, say the researchers.
According to the researchers, the Material Tailwind attack is only the latest example of packages that aim to disguise as legitimate packages:
These types of software supply chain attacks can be spotted almost daily now. In most of these cases, the malware in question is fairly simple JavaScript code that is rarely even obfuscated.
The Material Tailwind impostor, though, showed a rather high level of sophistication, including the usage of code obfuscation and other techniques to complicate reverse engineering, and a two-stage pipeline to download and install the actual malware, let alone a full set of features that made it an actually useful tool.
To discover the threat, the researchers used their Titanium Platform to identify the presence of obfuscated code in a JavaScript file. To make things look more suspicious, the file was listed in package.json
as a post-install script.
Post-install scripts get executed immediately after package installation. This is why they are a quite popular mechanism for achieving code execution among threat actors. From the perspective of a threat researcher: an obfuscated script that is set to run immediately after installation is a (big) red flag.
Inspecting the deobfuscated code, the team found it able to send a POST to a specific IP address and download a zipped file using a specially crafted URL that included an identifier of the victim. ZIP compression was likely used to bypass basic antivirus checks, say the researchers. The ZIP file contained an executable which deployed a number of techniques to evading security checks, including a custom runtime packer using high precision math, long sleep delays while running, and contacting legitimate sites, such as Google, to check for internet access and ensure it is not running in a sandbox.
Downloading and unpacking the ZIP is only the first stage of the attack, though, ensuring a PowerShell script is run daily.
At stage 2, the malware fetches a XOR encrypted and base64 encoded file from a public Google Drive link.
This encoded file includes the IP address of the command and control server which then sends encrypted instructions using a dedicated socket connection.
After reporting it to npm, the malicious package was quickly removed but not replaced with a security holder version. This gave the attackers a chance to publish new versions of the package to target macOS in addition to Windows systems. On macOS, the malware used curl to to fetch a shell script that was then piped into sh
.
If you want to know more about the level of sophistication of this attack, do not miss ReversingLabs analysis, which includes the deobfuscated malicious code and a discussion of the indicators of compromise (IOCs) that should never be ignored.