Malicious Software Campaign Uses Ethereum Intelligent Contracts to Manipulate npm Typographical Equivalents
A persistent plot is aiming at npm developers with numerous typographical versions of their authentic counterparts in an effort to deceive them into executing cross-platform malware.
This assault stands out for utilizing Ethereum intelligent contracts for address distribution of command-and-control (C2) servers, as per autonomous findings from Checkmarx, Phylum, and Socket distributed over the preceding days.
The event was initially detected on October 31, 2024, although it is reported to have been operational at least a week before. A minimum of 287 typographical squatting packages have been uploaded to the npm package registry.
“While this campaign unfolded with seriousness, it became apparent that this attacker was in the initial stages of a typo campaign targeting developers who intended to utilize the prevalent Puppeteer, Bignum.js, and various cryptocurrency libraries,” Phylum declared.
The packages incorporate disguised JavaScript that is executed during (or after) the installation process, ultimately leading to the retrieval of a subsequent binary from a remote server depending on the operating system.
The binary, on its side, initiates persistence and transfers sensitive details concerning the compromised device back to that same server.
However, in a captivating turn of events, the JavaScript code collaborates with an Ethereum intelligent contract employing the ethers.js library to retrieve the IP address. It is pertinent to mention here that a campaign termed EtherHiding exploited a similar stratagem by utilizing Binance’s Smart Chain (BSC) contracts to proceed to the following stage of the attack sequence.
The decentralized characteristic of blockchain indicates that frustrating this campaign is more challenging since the IP addresses served by the contract can be updated over time by the malicious actor, thereby enabling the malware to seamlessly connect to novel IP addresses as older ones are obstructed or removed.
“By employing the blockchain in this manner, the attackers attain two vital advantages: their infrastructure becomes almost impossible to dismantle owing to the immutable nature of the blockchain, and the decentralized architecture renders it highly intricate to obstruct these communications,” Yehuda Gelb, a researcher at Checkmarx, remarked.
Presently, the identity behind the campaign remains uncertain, although the Socket Threat Research Team highlighted Russian-written error messages for exception handling and logging purposes, hinting that the threat actor may be a Russian speaker.
Once more, this development illustrates the inventive methods attackers are polluting the open-source ecosystem, stressing the need for developers to be alert when retrieving packages from software repositories.
“Employing blockchain technology for C2 infrastructure presents a distinct approach to supply chain attacks in the npm ecosystem, enhancing the resilience of the attack infrastructure against takedown efforts while complicating detection endeavors,” stated Gelb.
About Author
