Threat Research

Inside the Axios supply chain compromise – one RAT to rule them all

Elastic.co
Inside the Axios supply chain compromise – one RAT to rule them all
Elastic Security Labs disclosed a supply-chain compromise of the widely used axios npm package in which a compromised maintainer account published backdoored versions that used a malicious plain-crypto-js postinstall hook to download a cross-platform RAT. The implants (PowerShell, C++, Python) share an identical C2 protocol and beacon behavior and were delivered from sfrclak[.]com:8000, enabling large-scale, automated compromise via npm installs. #Axios #UNC1069

Keypoints

  • Attackers gained control of an axios maintainer account and published two malicious releases ([email protected] tagged latest and [email protected] tagged legacy), so default npm installs pulled backdoored code.
  • The malicious release introduced [email protected] with a postinstall hook (node setup.js) that downloaded platform-specific stage-2 implants from sfrclak[.]com:8000.
  • Stage-2 tooling consisted of three native implementations (Windows PowerShell, macOS C++, Linux Python) of the same RAT, sharing C2 protocol, command set, beacon cadence, session UID format, and spoofed User-Agent.
  • C2 communications used HTTP POST with Base64-encoded JSON and a spoofed IE8/Windows XP User-Agent string, making the user-agent a strong detection signal on non-Windows hosts.
  • The dropper employed a two-layer obfuscation (string reversal + Base64, then XOR) and performed anti-forensics by deleting setup.js and replacing package.json with a clean manifest.
  • Windows variant includes persistence (Registry Run key + hidden .bat) and reflective .NET in-memory loading; macOS and Linux variants drop binaries to disk and execute them.
  • Elastic filed a GitHub Security Advisory and published triage/detection rules; Elastic noted overlap between the macOS Mach-O and WAVESHAPER/UNC1069 indicators.

MITRE Techniques

  • [T1195 ] Supply Chain Compromise – The attacker “compromised a maintainer account and published backdoored versions” using the npm maintainer account to publish malicious packages (‘…compromised a maintainer account and published backdoored versions…’).
  • [T1059.006 ] Command and Scripting Interpreter: Node.js – The payload execution relied on an npm lifecycle hook running “node setup.js” in plain-crypto-js’s postinstall (‘…postinstall hook silently downloaded and executed platform-specific stage-2 RAT implants…’).
  • [T1105 ] Ingress Tool Transfer – Stage-2 implants were fetched from the attacker-controlled server via HTTP (sfrclak[.]com:8000) during installation (‘…silently downloaded and executed platform-specific stage-2 RAT implants from sfrclak[.]com:8000’).
  • [T1027 ] Obfuscated Files or Information – The dropper used “string reversal followed by Base64 decoding” and an XOR cipher with a position-dependent index to conceal strings and behavior (‘…two-layer encoding scheme… String reversal followed by Base64 decoding… XOR cipher using the key OrDeR_7077…’).
  • [T1070 ] Indicator Removal on Host – The dropper performed self-deletion and replaced the malicious package manifest with a clean copy to remove traces (‘…setup.js removes itself via fs.unlink(__filename)… package.md … renamed to package.json, overwriting the malicious version’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols (HTTP) – C2 transport used HTTP POST with Base64-encoded JSON and a spoofed User-Agent for communications (‘C2 transport: HTTP POST… Body encoding: Base64-encoded JSON… User-Agent: mozilla/4.0 (compatible; msie 8.0; windows nt 5.1; trident/4.0)’).
  • [T1055 ] Process Injection – The Windows variant performs reflective .NET assembly loading for in-memory execution, consistent with process injection techniques (‘Reflective .NET assembly loading via [System.Reflection.Assembly]::Load()’).
  • [T1547.001 ] Registry Run Keys/Startup Folder – The Windows implant implements persistence via a Registry Run key combined with a hidden startup .bat (‘Persistence: Registry Run key + hidden .bat’).

Indicators of Compromise

  • [SHA-256 ] Stage-2 payload file hashes – 617b67a8e1210e4fc87c92d1d1da45a2f311c08d26e89b12307cf583c900d101 (Windows payload), 92ff08773995ebc8d55ec4b8e1a225d0d1e51efa4ef88b8849d0071230c9645a (macOS payload), and 1 more hash.
  • [Domain ] C2 and payload hosting – sfrclak[.]com (payload/C2 server serving stage-2 implants on port 8000).
  • [IPv4-addr ] Observed C2 address – 214.2.11.206[.]73 (listed in observables as an associated IPv4 address for C2 traffic).
  • [File name ] Dropped/executed artifact names – 6202033.ps1 (Windows transient downloader), com.apple.act.mond (macOS dropped binary), ld.py (Linux payload script).
  • [Package/Software ] Compromised packages and malicious dependency – [email protected] and [email protected] (malicious releases), [email protected] (postinstall backdoor delivery package).
  • [Email/Publisher ] Changed publisher identity in registry metadata – ifstap@proton[.]me (malicious publisher email used for compromised publishes) vs jasonsaayman@gmail[.]com (legitimate maintainer).

Read more: https://www.elastic.co/security-labs/axios-one-rat-to-rule-them-all