npm package bigmathix and the BigSquatRat campaign behind it
Contents
Iâm trying to get some more content out, so hereâs a write-up of a small malware campaign Iâm dubbing BigSquatRat. Weâll start with some static analysis of a Node.js malware infection chain and then examine its current and historical footprint across GitHub and npm.
Summary
- BigSquatRat is a fully-featured, multi-os, persistent JavaScript RAT
- C2 domain:
aurevian.cloud
- Attacker controlled npm packages:
axios-net
,bigmathix
,bigmathex
,bignumx
,bigmathutils
- Campaign demonstrates reasonably high sophistication and scope
My continuous npm scanner that supports my DPRK research site identified a
malicious npm package bigmathix
published by user jacksonroman338 (jacksonroman338[@]outlook[.]com).
This npm package is a downloader that retrieves a capable JavaScript RAT.
Malware on npm is nothing new and I pick up several samples per week from my monitor, but this one was interesting due to:
- Obfuscated multi-stage infection chain
- Utilisation of multiple logic gates and dynamic variables to prevent immediate deobfuscation/decryption
- Fairly complex footprint of the malware
NoteDo you want to follow along? Download the package tgz file! Please …
Summary
- BigSquatRat is a fully-featured, multi-os, persistent JavaScript RAT
- C2 domain:
aurevian.cloud
- Attacker controlled npm packages:
axios-net
,bigmathix
,bigmathex
,bignumx
,bigmathutils
- Campaign demonstrates reasonably high sophistication and scope
My continuous npm scanner that supports my DPRK research site identified a
malicious npm package bigmathix
published by user jacksonroman338 (jacksonroman338[@]outlook[.]com).
This npm package is a downloader that retrieves a capable JavaScript RAT.
Malware on npm is nothing new and I pick up several samples per week from my monitor, but this one was interesting due to:
- Obfuscated multi-stage infection chain
- Utilisation of multiple logic gates and dynamic variables to prevent immediate deobfuscation/decryption
- Fairly complex footprint of the malware
NoteDo you want to follow along? Download the package tgz file! Please …
IoC
https://aurevian.cloud/public/index.js?ver=1.5&type=module
http://aurevian.cloud
https://aurevian.cloud/public/startup.js?ver=1.2&type=module
https://raw.githubusercontent.com/ryanthompson4323/axios-net/refs/heads/main/README.md
https://raw.githubusercontent.com/shanbennet322/express/refs/heads/main/LICENSE
http://outlook.com
https://dprk-research.kmsec.uk/api/tarfiles/bigmathix/1.0.2
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
739c68bcea2b27b7bc740d25cfeb5eceb98e4e02
7a5d8cc19d66c6ee9032b86b1f70888684139e86f8a8084c1ae15332e010e5e2
188623874526cf7cd360f70fb199dbebad4f91a5
b3c59cabe93c677b33d42a74e965a89ed02d5869
04d05b9e816278287f2777bc21803b2c8fefe46ae9d438ed92f9da37cc22e50d
033bbdfb4d956483bb646cfe818d588eb6e0c5be038bb81bca0eb4b6a0d907cb
9fb809741f4af93dd36043024114749ddf4d66ec
8819881828726295f6a3728388de9b5e46754456abc1e6ae58582f640203c287
3eefd6644a593af7a1533024dac08e329eb113bd
http://aurevian.cloud
https://aurevian.cloud/public/startup.js?ver=1.2&type=module
https://raw.githubusercontent.com/ryanthompson4323/axios-net/refs/heads/main/README.md
https://raw.githubusercontent.com/shanbennet322/express/refs/heads/main/LICENSE
http://outlook.com
https://dprk-research.kmsec.uk/api/tarfiles/bigmathix/1.0.2
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
739c68bcea2b27b7bc740d25cfeb5eceb98e4e02
7a5d8cc19d66c6ee9032b86b1f70888684139e86f8a8084c1ae15332e010e5e2
188623874526cf7cd360f70fb199dbebad4f91a5
b3c59cabe93c677b33d42a74e965a89ed02d5869
04d05b9e816278287f2777bc21803b2c8fefe46ae9d438ed92f9da37cc22e50d
033bbdfb4d956483bb646cfe818d588eb6e0c5be038bb81bca0eb4b6a0d907cb
9fb809741f4af93dd36043024114749ddf4d66ec
8819881828726295f6a3728388de9b5e46754456abc1e6ae58582f640203c287
3eefd6644a593af7a1533024dac08e329eb113bd