Summary:
This article discusses a newly discovered malware that disguises itself as a WhatsApp Web client, capable of deleting files while masquerading within trusted authentication processes. The malware employs a multi-stage attack, utilizing data exfiltration and a destructive payload to compromise systems. Its stealthy approach highlights the risks associated with messaging platforms and the importance of scrutinizing third-party packages.
#MalwareThreats #SupplyChainSecurity #DataExfiltration
This article discusses a newly discovered malware that disguises itself as a WhatsApp Web client, capable of deleting files while masquerading within trusted authentication processes. The malware employs a multi-stage attack, utilizing data exfiltration and a destructive payload to compromise systems. Its stealthy approach highlights the risks associated with messaging platforms and the importance of scrutinizing third-party packages.
#MalwareThreats #SupplyChainSecurity #DataExfiltration
Keypoints:
- The malware masquerades as a legitimate WhatsApp Web client.
- It can delete files and exfiltrate sensitive data.
- Utilizes WhatsApp’s authentication process to hide its malicious actions.
- Discovered in the npm package @vreden/meta.
- Employs Base64 encoding to obscure its data collection endpoints.
- Contains a remote kill switch that executes destructive commands.
- Establishes unauthorized connections to remote servers for data exfiltration.
- Threat actors exploit human error and trust in package authors.
- Socket’s security tools can help detect and mitigate such threats.
MITRE Techniques
- Command and Scripting Interpreter (T1059.004): Utilizes Unix shell commands to execute destructive operations.
- Deobfuscate/Decode Files or Information (T1140): Uses encoding techniques to hide malicious code and endpoints.
- Exfiltration Over C2 Channel (T1041): Exfiltrates data through command and control channels.
- Indicator Removal on Host: File Deletion (T1070.004): Executes commands to delete files and directories without recovery options.
IoC:
- [url] hxxps://rest-api[.]vreden[.]my[.]id?leads?id=
- [url] hxxps://ipwho[.]is/?lang=id-ID
- [url] hxxps://rest-api[.]vreden[.]my[.]id?cek?id=
- [tool name] @vreden/meta
- [tool name] baileys
Full Research: https://socket.dev/blog/malicious-npm-package-exploits-whatsapp-authentication-with-remote-kill-switch