Threat Research

npm Package Found Delivering Sophisticated RAT

Securonix

An npm package named oscompatible was found delivering a sophisticated RAT via a multi-stage chain that masquerades as a Windows update. The attack uses DLL search order hijacking, signed binaries, and remote payloads to drop a persistent RAT and extra tools like AnyDesk.
#Phylum #oscompatible

Keypoints

  • The npm package oscompatible contains an exe, a dll, and an encrypted dat file, with index.js that simply triggers a batch file to start the malicious chain.
  • The attack chain relies on DLL search order hijacking to load attacker-supplied msedge.dll from the package directory.
  • The msedge.dll is loaded via LoadLibraryExA with a path that makes the attacker’s DLL be used, leveraging the directory search order.
  • The msedge.dll decrypts msedge.dat to produce msedgedat.dll, then executes it entirely in memory without writing to disk first.
  • The decrypted payload loads a ZIP from a remote domain (kdark1[.]com) containing ud.exe, AnyDesk.exe, Band64.dll, RpcTest64.dll, and verify.dll.
  • The final RATDrops as verify.dll registers as a scheduled task, communicates via web sockets, hides the desktop, and captures input data among other actions.

MITRE Techniques

  • [T1218] Signed Binary Proxy Execution – The malware uses cookie_exporter.exe, a real Edge component, for its valid Authenticode signature. Quote: “cookie_exporter.exe is a real component of Microsoft Edge being used here for its valid Authenticode signature.”
  • [T1574.001] DLL Search Order Hijacking – The code loads msedge.dll from the application directory, grabbing the attacker supplied msedge.dll in the same directory. Quote: “the directories searched and the order in which they are searched depends on the path… it will first look for this DLL in the application directory… attacker supplied msedge.dll in the same directory.”
  • [T1105] Ingress Tool Transfer – The decrypted msedgedat.dll loads and downloads a zip from kdark1[.]com dated 2024 JAN 13, containing additional payloads. Quote: “downloading a zip file dated 2024 JAN 13 (13012024, DDMMYYYY).”
  • [T1053.005] Scheduled Task – The RAT registers as a scheduled task for persistence. Quote: “Registers as a scheduled task.”
  • [T1071.001] Web Protocols – The RAT receives commands from a remote server using web sockets. Quote: “Receives commands from a remote server using web sockets.”
  • [T1564.001] Hide Artifacts – Band64.dll is injected into Explorer to hide the desktop using SetWindowBand. Quote: “Band64.dll gets injected into Explorer so the desktop can be hidden using SetWindowBand.”
  • [T1056.001] Input Capture – The malware captures keyboard and mouse events. Quote: “Captures keyboard and mouse events.”
  • [T1027] Obfuscated/Encrypted Files and Information – The msedge.dat is decrypted with a 352-byte XOR key to produce msedgedat.dll, illustrating data obfuscation/decryption. Quote: “decrypts it using a 352 byte XOR key.”

Indicators of Compromise

  • [Package] npm packages – edgecompatible 2.3.4; oscompatible 2.3.4; 2.3.3; 2.3.2
  • [SHA-256] – 3712af5f9bfbcdbc4fdd6e2831425b39b0eb3aab1c6d61c004fe96d3a57f21f5, d2952e57023848a37fb0f21f0dfb38c9000f610ac2b00c2f128511dfd68bde04
  • [Domain] – kdark1[.]com
  • [IP] – 172.64.149.23

Read more: https://blog.phylum.io/npm-package-found-delivering-sophisticated-rat/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint