Malicious NPM Packages Deliver NodeCordRAT

MITRE Techniques

• [T1588.006 ] Obtain Capabilities: Code Signing Certificates – The attacker created a compelling narrative around a legitimate-looking npm package (typosquatting) to deliver malicious code. (‘The attacker creates a compelling narrative around a legitimate-looking npm package (via typosquatting) that contains the malicious code.’)
• [T1584.007 ] Compromise Infrastructure: Development Platforms – The attacker distributed malware via typosquatted npm packages targeting developers. (‘The attacker uses a typosquatted npm package to distribute the malware, taking advantage of developers downloading or using incorrect package names in their projects.’)
• [T1059.007 ] Command and Scripting Interpreter: JavaScript/JScript – The malware is implemented as a Node.js script, executing JavaScript code to perform actions on the host. (‘The core malicious payload is a Node.js script.’)
• [T1027 ] Obfuscated Files or Information – The original code used minimal obfuscation (hexadecimal characters and uninformative variable names) to hinder analysis. (‘The original code used minimal obfuscation (hexadecimal characters, uninformative variable names) to confuse automated analysis and frustrate human reverse-engineering.’)
• [T1082 ] System Information Discovery – NodeCordRAT gathers system information and host identifiers using OS commands and files to fingerprint each machine. (‘The script gathers detailed system information, including operating system (os.platform()), and executes operating system-specific commands (wmic, ioreg) to create a unique fingerprint (UUID/Machine ID) for the compromised host.’)
• [T1016 ] System Network Configuration Discovery – The malware relies on network access to establish Discord-based C2 channels. (‘The script implicitly relies on network access to establish the Discord connection and C2 channel.’)
• [T1102.002 ] Web Service: Social Media – Discord’s API is used as the primary C2 channel for commands and exfiltration via private channels. (‘The script uses the Discord API as its primary C2 communication channel for sending and receiving commands, and exfiltrating data, using a dedicated, private channel per endpoint.’)
• [T1552.001 ] Unsecured Credentials: Credentials in Files – The malware searches for and exfiltrates plaintext credential files such as .env files. (‘The script actively searches for and exfiltrates unencrypted or weakly-encrypted files (e.g., .env files) containing sensitive plaintext credentials and configuration secrets.’)
• [T1539 ] Steal Web Session Cookie – The actor targets the Chrome User Data directory to harvest session data, cookies, and saved logins. (‘The script targets the Chrome User Data directory, indicating an intent to steal web browser session data, cookies, and saved login credentials.’)
• [T1213.001 ] Data from Local System: File Sharing – The !sendfile command enables exfiltration of arbitrary files from the victim’s filesystem. (‘The custom !sendfile command allows the threat actor to exfiltrate any specific file from the compromised system’s local file system.’)
• [T1113 ] Screen Capture – The !screenshot command captures full-desktop screenshots for reconnaissance and data discovery. (‘The implementation of the !screenshot command allows the attacker to visually monitor user activity and discover sensitive information displayed on the screen.’)
• [T1555.003 ] Credentials from Web Browsers – NodeCordRAT targets Chrome Login Data and Local State to decrypt and harvest saved browser credentials and also targets LevelDB files for MetaMask data. (‘The script specifically targets the Chrome Login Data and Local State files with the intent to decrypt and harvest protected and saved browser credentials. This also includes the highly targeted exfiltration of LevelDB files found near the MetaMask wallet extension ID.’)
• [T1041 ] Exfiltration Over C2 Channel – All stolen data (credentials, .env files, screenshots) is uploaded to the Discord C2 channel via the Discord API. (‘All sensitive data gathered (e.g., passwords, .env files, screenshots) is uploaded directly to the dedicated Discord C2 channel, using the existing connection for exfiltration.’)