An npm package named emails-helper was used to deliver encrypted binaries and C2 tooling, exfiltrating developer data and instructing on how to deploy tools like dnscat2, mettle, and Cobalt Strike Beacon. The attack leverages an npm preinstall hook, DNS TXT records, and encoded payloads to quietly fetch keys and URLs, decrypt and execute binaries, and establish covert C2 channels. #emails-helper #CobaltStrikeBeacon
Keypoints
- A malicious package named “emails-helper” was published to npm. Upon installation, it automatically executes a malicious file called init.js.
- The executed file establishes communication with a remote server to siphon off sensitive developer data, including configuration files and SSH keys.
- Data exfiltration is attempted via HTTP, and if this fails, the attacker reverts to exfiltrating data via DNS.
- C2 URLs and encryption keys are retrieved from a remote server, either via HTTP or a DNS TXT record.
- Base64-encoded and encrypted binaries that are shipped with the package are then decoded, decrypted, and silently spawned in the background.
- The binaries deploy penetration testing tools like dnscat2, mettle, and Cobalt Strike Beacon.
MITRE Techniques
- [T1195] Supply Chain – A malicious npm package named “emails-helper” was published to npm, compromising developers’ environments. “A malicious package named “emails-helper” was published to npm.”
- [T1059.007] JavaScript – The attack runs JavaScript via the npm preinstall hook to execute init.js. “preinstall hook executing a file directly”
- [T1027] Obfuscated/Compressed Files and Information – The init.js file is minified and highly obfuscated, then executed. “The init.js file is minified and, when properly formatted, comes in at around 300 lines.”
- [T1132.001] Data Encoding – The package ships Base64-encoded and encrypted binaries and uses hex encoding for data transfer. “Base64-encoded and encrypted binaries that are shipped with the package are then decoded, decrypted, and silently spawned”
- [T1041] Exfiltration Over C2 Channel – Sensitive data is exfiltrated and Canadian via HTTP, with fallback to DNS. “Data exfiltration is attempted via HTTP, and if this fails, the attacker reverts to exfiltrating data via DNS.”
- [T1071.004] DNS – Keys and C2 URL information are retrieved via DNS TXT records from a remote server. “The attacker retrieves encryption keys from a DNS TXT record hosted on a remote server”
Indicators of Compromise
- [Domain] autistan.lu – used as a host for C2 communications and key delivery
- [Domain] linglink.lu – used for C2 communications and key delivery
- [Hash] 34a86ec79c04b13ccb5c5279241cc3dfb6e91a48c3497703c9d757b10a8abc8c – decrypted binary
- [Hash] b7c6d3dcd962cc33cd12a21bec9a40470f9a42577a2ba89c97bd28cdc95945b5 – decrypted binary
- [Hash] d68a94343dff8444afe6208ad1377639ddd3667d28839a40c22a1e3112d1e335 – decrypted binary
- [Hash] bb9d4d127fffb12c3d386ea3671a446cf181fb03d08b20b1e9e1675f83471ec3 – decrypted binary
- [Hash] 66c4640dcdab0c746c71a3d72002791f0567379ccfea685cac05d4cde3c36926 – decrypted binary
- [Hash] 246c6637a8b514e55390468ed36b46e4e5563c08cc035723a6fbe66b54537cdb – decrypted binary
- [Hash] ca7bc3b201c71eff6f8f8cf5bd79e53116b4eeea3040789e16e09a53050e73c5 – encrypted binary (in package archive)
- [Hash] 869164886ee65add713d19ee36780f5b3c80209259bddb2667666319d78028c5 – encrypted binary (in package archive)
- [Hash] d1b8d72c450a44d27ac22a7dfc4808f0700ac03ee90c31ea6208a21664e1fd43 – encrypted binary (in package archive)
- [Hash] bbd4c83ac3b0c1c944c0bb2767e45f65b37b7ce634ae61932fbe0e2b549cdf9e – encrypted binary (in package archive)
- [Hash] ee6bfc0e1531e120a63ddd95232e9330d7cae29c43233f604736e3bf374cf48c – encrypted binary (in package archive)
- [Hash] 651c369596ae985b7b5fda53b5c8884cf4cfe273b4661495afc2d1a91e809890 – encrypted binary (in package archive)
Read more: https://blog.phylum.io/npm-emails-validator/