Breaking Down the Axios Supply Chain Attack: Dropper, Cross-Platform RATs, and BlueNoroff/TA444
Contents
Breaking Down the Axios Attack: Obfuscated Dropper, Cross-Platform RATs, and the TA444/BlueNoroff Connection
Breaking Down the Axios Attack: Obfuscated Dropper, Cross-Platform RATs, and the TA444/BlueNoroff Connection
Published on
Axios pulls over 37 million weekly downloads on npm. That kind of reach makes it a prime target, and someone took the shot. The npm account belonging to the library's primary maintainer, jasonsaayman, was compromised and used to push two malicious versions, executing a five-stage operation in under 24 hours: account takeover, dependency staging, payload injection, multi-platform RAT deployment, and evidence cleanup.
The dropper checks the victim's OS and pulls down a platform-specific RAT. A compiled Mach-O binary on macOS, a fileless PowerShell implant on Windows, or a Python script on Linux. Seconds after the RAT is running, the dropper wipes itself and swaps the malicious package.json for a clean stub. A developer checking their node_modules after install would see nothing out of place.
The cleanup was …
Breaking Down the Axios Attack: Obfuscated Dropper, Cross-Platform RATs, and the TA444/BlueNoroff Connection
Published on
Axios pulls over 37 million weekly downloads on npm. That kind of reach makes it a prime target, and someone took the shot. The npm account belonging to the library's primary maintainer, jasonsaayman, was compromised and used to push two malicious versions, executing a five-stage operation in under 24 hours: account takeover, dependency staging, payload injection, multi-platform RAT deployment, and evidence cleanup.
The dropper checks the victim's OS and pulls down a platform-specific RAT. A compiled Mach-O binary on macOS, a fileless PowerShell implant on Windows, or a Python script on Linux. Seconds after the RAT is running, the dropper wipes itself and swaps the malicious package.json for a clean stub. A developer checking their node_modules after install would see nothing out of place.
The cleanup was …
IoC
http://sfrclak.com:8000/6202033
http://142.11.206.73
http://23.254.167.216
http://108.174.194.196
http://a0info.v6.army
http://sfrclak.com
http://108.174.194.44
http://sfrclak.com:8000/
108.174.194.196
108.174.194.44
142.11.192.0
23.254.167.216
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
506690fcbd10fbe6f2b85b49a1fffa9d984c376c25ef6b73f764f670e932cab4
e1f6b7f621a391a9d26e9a196974f3e2cc1ce8b4d8f73a14b2e8cb0f2a40289f
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
7c29f4cf2ea91ef05018d5aa5399bf23ed3120eb
07d889e2dadce6f3910dcbc253317d28ca61c766
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71
http://142.11.206.73
http://23.254.167.216
http://108.174.194.196
http://a0info.v6.army
http://sfrclak.com
http://108.174.194.44
http://sfrclak.com:8000/
108.174.194.196
108.174.194.44
142.11.192.0
23.254.167.216
142.11.206.73
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
f7d335205b8d7b20208fb3ef93ee6dc817905dc3ae0c10a0b164f4e7d07121cd
506690fcbd10fbe6f2b85b49a1fffa9d984c376c25ef6b73f764f670e932cab4
e1f6b7f621a391a9d26e9a196974f3e2cc1ce8b4d8f73a14b2e8cb0f2a40289f
617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101
7c29f4cf2ea91ef05018d5aa5399bf23ed3120eb
07d889e2dadce6f3910dcbc253317d28ca61c766
fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf
e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09
d6f3f62fd3b9f5432f5782b62d8cfd5247d5ee71