JPCERT/CC details a DangerousPassword–linked campaign that targets developers in cryptocurrency exchanges across Windows, macOS, and Linux using Python and Node.js-based malware. The lifecycle includes multi-stage downloads, C2 beacons, and DLL sideloading, with additional samples like PythonHTTPBackdoor and JokerSpy noted as possible later-stage components. #DangerousPassword #CryptoMimic #SnatchCrypto #JPCERTCC #PythonHTTPBackdoor #JokerSpy
Keypoints
- The attack targets developers of cryptocurrency exchanges across Windows, macOS, and Linux environments, using Python and Node.js modules to propagate malicious code.
- Initial infection in Windows often starts from a malicious Python file (builder.py) embedded in a Python module, which the target executes unknowingly.
- Malware heavily obfuscates strings (ROT13) and uses staged downloads to fetch MSI payloads that execute on the host.
- Subsequent stages include a PowerShell script that downloads another MSI, and a second MSI that drops devobj.dll and sideloads it into rdpclip.exe to execute stealthily.
- devobj.dll downloads a PE file over HTTPS and runs it in memory, with VMProtect obfuscation and dynamic Windows API resolution to hinder analysis.
- macOS and Linux infections use encoded strings in builder.py, geometry-specific data flows, and PythonHTTPBackdoor/JokerSpy as potential follow-ons; Node.js malware uses route.js/request.js to download and run server.js, beaconing to the C2 every minute.
- Appendix information highlights C2 domains and a large list of malware hashes, underscoring the campaign’s multi-platform reach and persistent nature against developers.
MITRE Techniques
- [T1059.006] Python – The attacker inserts malicious code into a file named builder.py in the Python module (https://github.com/mnooner256/pyqrcode), which is for handling QR codes. The attacker then distributes it to the target in some way. The target executes the file, being unaware of the malicious code. As a result, additional malware is downloaded and infects the machine. …translated quote in English…
- [T1059.007] JavaScript – The attacker inserts malicious code into route.js in the express library folder and the Node.js malware called request.js is placed in the same folder. By executing the file without the target being aware of the malicious code, additional malware is downloaded and infects the machine. …translated quote in English…
- [T1059.001] PowerShell – A dropped PowerShell script is used to download and execute an additional MSI file from an external source. …translated quote in English…
- [T1574.001] DLL Side-Loading – The malware is executed when devobj.dll is DLL sideloaded into rdpclip.exe, after dropping devobj.dll and copying rdpclip.exe. …translated quote in English…
- [T1105] Ingress Tool Transfer – Python malware and Node.js components download MSI or PE payloads from external sources and execute them. …translated quote in English…
- [T1027] Obfuscated/Compressed Information – ROT13 obfuscation (and BASE64 usage) to conceal C2 strings and other data used by malware. …translated quote in English…
- [T1071.001] Web Protocols – C2 communication occurs with the C2 server every minute, indicating periodic beaconing via HTTP(S). …translated quote in English…
Indicators of Compromise
- [Domain] app.developcore.org – C2 domain used by the attackers
- [Domain] pkginstall.net – C2 domain observed in the campaign
- [Domain] www.git-hub.me – C2 domain observed in the campaign
- [Domain] checkdevinc.com – C2 domain observed in the campaign
- [File Hash] 118c1187c5b37ab9c4f9f39500d777c0a914c379d853439608157379dcb71772 – one of the malware hashes
- [File Hash] 35b4550050748c54faad1e5883c281f29c08e817cc193432e7b9b43124a7962a – another malware hash
- [File Name] builder.py – Python module injected with malicious code
- [File Name] log.tmp – decoded file in macOS/Linux flow
- [File Name] tmp.py – Python-decoded file executed after C2 response
- [File Name] server.js – Node.js payload downloaded and executed by request.js
Read more: https://blogs.jpcert.or.jp/en/2023/07/dangerouspassword_dev.html