Threat Actor Deploys Malicious Packages Using Hex Encoding and Delayed Execution
Over the past week, the Mend security team has found several instances of packages that use unusual techniques to disguise malicious intent. These techniques differ from what we have usually seen in the past, such as base64 and JS obfuscation. This time, we are seeing a malicious actor use hex encoding to hide the malicious behavior of the package. In addition, the threat actor attempts to evade some security mechanisms by delaying the execution of the malicious code until about one hour after initial installation. The goal, of course, is to improve the odds that the malicious package can be successfully inserted into the production environment.
//Dedocing from hex in runtime
//Delaying execution in about 1 hour
The first package is ‘bfs-hello-world’. Its first version, number 98.10.11, was uploaded to NPM on April 5th. The second version, number 98.10.13, was uploaded a few hours later.
Both versions were blocked by Supply Chain Defender on the same day of creation.
The second package, ‘bfx-hf-func-data’, was uploaded to NPM on April 9th with only one version, number 94.10.9. It was blocked by Supply Chain Defender two hours later.
Interestingly, in this package, the author used the famous ‘Lorem ipsum’ placeholder text that is commonly used to demonstrate the visual form of a document or a typeface without relying on meaningful content.
The third package, ‘wf_apn’, was added to NPM on April 12th with one single version, number 97.10.9. It was blocked by Supply Chain Defender four hours later. In this package, the README file looks legit as it is disguised as a module for interfacing with the Apple Push Notification service, which is far from what the malicious package really does.
The attacker is exfiltrating private information via two known webhooks – “pipedream.net” and “requestbin.net”. The private information that is being captured for these packages are:
Homedir
Hostname
Username
Getting a list of IP addresses that is configured in the DNS resolution for the current host.
Checking what files you have under your root directory depending on your operating system (“C:\\“, “D:\\“, “/”, “/home”)
While gathering the private information, the attacker verifies that the machine executing the code doesn’t have the following identifiers that are probably of its own machines:
Hostname – DESKTOP-4E1IS0K / box / lili-pc / aws-7grara913oid5jsexgkq / instance
Username – daasadmin
It’s worth mentioning that we have seen these indicators of compromise (IoCs) related to other packages in the past.
These packages illustrate the ongoing evolution of attack techniques, as the attacker looks for new ways to evade security mechanisms as well as the attention of the research community. While these techniques are common in the malware research arena, they have not been seen used in npm malicious packages. However, it is likely that we will see more attacks like this. Of course, the easiest way to protect this attack surface is to use an automated supply chain security solution such as Mend Supply Chain Defender.
