Sonatype has discovered more malware in the npm registry which, following our analysis and multiple cyber threat intelligence reports, has led to the discovery of a novel and large scale malware campaign leveraging the open-source ecosystem.
The malware called “xpc.js” was spotted on Friday by our Nexus Intelligence research service which includes next generation machine learning algorithms that automatically detect potentially malicious activity associated with open source ecosystems.
This follows on the heels of last week’s news when Sonatype’s Nexus Intelligence engine and it’s release integrity algorithm discovered discord.dll: the successor to “fallguys” malware and 3 other components. Since launching Release Integrity out of beta on Oct. 7 this year, our Nexus Intelligence service has discovered five malicious components.
Sonatype’s deep dive research analysis has concluded both “xpc.js” and malicious components identified last week are part of a newly identified family of Discord malware called CursedGrabber.
The component exists as a tar.gz (tgz) archive with just one version 6.6.6 (likely a pun) and was published to npm registry around November 11, 2020.
xpc.js has scored just under a 100 downloads as Sonatype discovered it almost immediately after the author published it.
The NodeJS files it includes have a very similar structure to malware reported by Sonatype last week: discord.app, wsbd.js and ac-addon.
Sonatype security researcher Sebastián Castro who analyzed xpc.js explains:
“The malware targets Windows hosts. It contains two EXE files which are invoked and executed via ‘postinstall’ scripts from the manifest file, ‘package.json’.”
The manifest file package.json contained within “xpc.js”
The npm component’s manifest file launches lib.js which has just two lines of code, shown below. This is where the EXEs that Castro refers to are invoked.
The “lib.exe” and “lib2.exe” bundled within the “xpc.js” package itself are Discord information stealing malware written in C# and compressed together with Fody-Costura.
“These two PE32 files were forged with Fody-Costura,” states Castro.
Both executables have references to, or rather assert they are based on “CursedGrabber” information stealing Discord malware.
Image: Discord webhook used by lib.exe still up and running
“lib.exe” was also caught mapping user’s payment card details and billing information, in addition to other sensitive data.
Lib.exe retrieving payment information in addition to Discord tokens and web browser files
In our tests, we noticed lib.exe was stealthy. For example, in certain VM environments it would not perform its malicious activities until after a few minutes had elapsed, to evade analysis by bots and researchers alike.
This archive contains 34 DLLs, and 2 EXEs.
The EXEs are launched automatically by lib2.exe itself as shown by the process tree below. These include “osloader.exe” and “winresume.exe”
lib2.exe is a dropper which downloads and unzips an archive and further spins up osloader.exe and eventually winresume.exe
The winresume binary is a tainted version of the legitimate winresume.exe application that helps Windows computers resume after periods of hibernation. Again, this is part of malware’s evasive tactics to forge legitimate binaries with malicious code.
Here’s how the malware execution sequence would appear to a Windows user:
The “Windows NT is not supported” message shown in the screenshot, however, is a false error thrown by the malware in an attempt to fool both antivirus products and the end-user.
“The malware dropped by lib2.exe contains advanced, multiple capabilities, such as, privilege escalation, keylogging, taking screenshots, planting backdoors, accessing webcam, etc.,” explains Castro.
We also noticed the backdoor spun up by the CursedGrabber malware had a REST API running on port 20202 on an infected machine for easy command-and-control (C2) access:
A worrisome finding is some crucial binaries contained in this malware have a low detection rate:
For example, osloader.exe that fires up a bunch of malicious processes had such a low detection rate on VirusTotal that just about 2% antivirus engines today would be able to spot it:
All Discord malware identified thus far, both by Sonatype and external members of the security community execute nearly the same tasks: steal Discord tokens and sensitive user data.
And yet, there are differences in virtually every single Discord malware sample—including samples created by the same author to perform identical tasks.
For example, the npm author ~luminate_ who had published discord.app, wsbd.js, ac-addon, and finally this xpc.js has made each of these packages drop a different CursedGrabber strand.
The dropped binaries perform nearly identical tasks—some to a greater degree than others, but the differences between them seem intentional, to make detection harder.
The timing of Sonatype’s discovery of npm malware last week, including the latest xpc.js npm component of the CursedGrabber malware family roughly coincides with Netskope’s discovery of TroubleGrabber Discord malware family which spreads via GitHub.
TroubleGrabber, which leverages GitHub to spread, is based off of yet another C# Discord malware AnarchyGrabber. It comprises around 2,000 file hashes and over 700 Discord addresses, making detection increasingly challenging by the day.
In our recent state of the software supply chain report, we documented a 430% increase in malicious code injection within OSS projects – or next-gen software supply chain attacks, and this isn’t the first time we have seen attacks including counterfeit components.
Discovery of yet another family of counterfeit components, especially after “Discord.dll” malware had already made headlines, speaks to the damage that is possible to your software supply chain if adequate protections are not in place.
Sonatype is tracking CursedGrabber malware including npm’s xpc.js as Sonatype-2020-1096, Sonatype-2020-1097, and Sonatype-2020-1109.
More Sonatype identifiers may be assigned as more samples in the wild are identified.
Sonatype’s timeline related to the malicious package’s discovery and reporting is as follows:
Based on the visibility we have, no Sonatype customers have downloaded “xpc.js” and our customers remain protected against counterfeit components like CursedGrabber.
Sonatype’s world-class open source intelligence, which includes our automated malware detection technology, safeguards your developers, customers, and software supply chains from infections like these.
If you’re not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype’s free Nexus Vulnerability Scanner to find out quickly.
Visit the Nexus Intelligence Insights page for a deep dive into other vulnerabilities like this one or subscribe to automatically receive Nexus Intelligence Insights hot off the press.
Indicators of Compromise (IoCs) are available in the original report published by Ax Sharma:
About the author: Ax Sharma
Endorsed an Exceptional Talent (‘a recognized leader’) in technology by the British Government, Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets like Fortune, The Register, TechRepublic, CSO Online, BleepingComputer, etc. Ax’s expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.
(SecurityAffairs – hacking, CursedGrabber malware)