Threat Research

npm Supply Chain Attack Targeting Germany-Based Companies

Securonix

JFrog Security researchers uncovered a highly targeted npm supply chain attack aimed at German-based companies, using fake npm maintainers to host malicious packages that deliver a sophisticated backdoor payload. The operation appears to involve dependency confusion and obfuscated JavaScript, with Code White later claiming responsibility for the attack. #bertelsmannnpm #CodeWhite

Keypoints

  • Targeting: The attack is highly targeted at prominent German industrial companies.
  • Malicious maintainers: Four fake maintainers hosted the malicious packages: bertelsmannnpm, boschnodemodules, stihlnodemodules, and dbschenkernpm.
  • Dependency confusion: The naming and maintainer setup suggest a dependency confusion technique against the targeted companies.
  • Dually structured payload: The malware incorporates a dropper and a payload; the payload can be JavaScript-based or a native binary depending on the target.
  • Backdoor and C2: The payload acts as a backdoor that communicates with a hardcoded C2 server over HTTPS and DNS, accepting commands (download, upload, eval, exec, delete, register).
  • Obfuscation choice: The malware uses public javascript-obfuscator-generated obfuscation for both the dropper and payload.
  • Ambiguous actor: Analysts are unsure if the operation is the work of a sophisticated threat actor or an aggressive pentest (Code White later claimed responsibility).

MITRE Techniques

  • [T1195] Supply Chain – The attack uses dependency confusion via fake npm maintainers to inject malicious packages into German company ecosystems. [Quote] ‘From these maintainer names and from the package names chosen, it seems highly likely that this is a dependency confusion attack against the respective German industrial companies.’
  • [T1027] Obfuscated/Compressed Files and Information – The dropper and payload are obfuscated with the javascript-obfuscator package. [Quote] ‘The only part of the malware which doesn’t seem custom-coded, is the malware’s obfuscation. Both the dropper and the payload are obfuscated using the ubiquitous javascript-obfuscator package.’
  • [T1071.001] Web Protocols – The dropper exfiltrates data to a telemetry/C2 server over HTTPS and DNS. [Quote] ‘The dropper exfiltrates information about the infected machine to the malware’s “telemetry” server (by default hosted at www.pkgio.com) through HTTPS and DNS.’
  • [T1059.007] JavaScript – The payload can be a JavaScript-based payload, indicating execution under JavaScript. [Quote] ‘depending on the configuration, the payload can either be a Javascript-based payload or a native binary compiled for the target platform.’
  • [T1041] Exfiltration Over C2 Channel – The dropper transmits collected data to the C2/telemetry channel for exfiltration. [Quote] ‘The dropper exfiltrates information about the infected machine to the malware’s “telemetry” server … through HTTPS and DNS.’

Indicators of Compromise

  • [Domain] Telemetry/C2 domain – pkgio.com, www.pkgio.com
  • [NPM Package] Malicious maintainers – bertelsmannnpm, boschnodemodules, stihlnodemodules, dbschenkernpm
  • [File] Exfiltration targets – /etc/hosts, /etc/resolv.conf
  • [File] Packaged test files referenced – package.json
  • [File] OS-specific payload files – mac.enc.js, win.enc.js

Read more: https://jfrog.com/blog/npm-supply-chain-attack-targets-german-based-companies/