Researchers have identified another malicious use of JavaScript packages hosted in the npm registry. Hosting the necessary files for an automated phishing kit or injecting a phishing page into an application that bundles components. “This discovery may be the first ‘dual use’ campaign in which a malicious open-source package supports both commodity phishing attacks and compromises of the advanced software supply chain,” said researchers from security firm ReversingLabs. new report.
In total, the researchers identified more than a dozen packages that are part of this campaign, dubbed Operation Brainleeches, with names mimicking the names of popular packages such as jquery, react, and vue, released between May 11 and June 13 on npm. uploaded to the registry. js. The file was downloaded about 1,000 times in total before being discovered and removed.
Npm hosting package with phishing toolkit support
In Phase 1 of the operation, the first batch of six packages uploaded in May contained files that appeared to be used as part of the phishing kit infrastructure. These files include two files called standforusz and react-vuejs and contains DEMO.txt, jquery.js, jquery.min.js and package.json files.
jquery.js and jquery.min.js are files widely used in JavaScript development and parts of the jquery library, so these files don’t raise suspicion by their names alone. However, they caught the attention of ReversingLabs researchers. This is because the scan detected internal code obfuscation, which is rare in open source packages.
The same malicious jquery.js file has been observed in the wild as a malicious attachment in email phishing attacks. It fetched jquery.min.js from a content delivery network called jsDelivr and then dynamically built a new html document when opened in the browser. The file then took DEMO.txt from the same location and wrote its contents to a new document.
DEMO.txt contains HTML code that mimics Microsoft.com’s login page and sends all credentials entered in the form to the remote server. Researchers also discovered another phishing page targeting Microsoft 365 credentials by displaying what appeared to be a blurry document in the background with a small Microsoft login pop-up in front.
The same files used in these phishing attacks are all bundled into malicious npm packages, so I’m assuming the deployment automation is likely part of some phishing kit that relies on npm. “Our open-source study uncovered a very large number of similar email phishing attachments, all generated by slightly different but closely related phishing kits from the remnants of Operation Brainleeches,” said ReversingLabs researchers. “This suggests that the modules identified in the first stage of the attack are not unique and are likely part of a broader attack orchestrated by a low-level attacker equipped with powerful, automated tools.”
Npm package used to phish trojan application users
The second phase of the attack involved a different set of packages, seven of which were identified and behaved more like supply chain attacks previously seen on npm. Most supply chain attacks that rely on malicious npm packages target developers or development organizations that use those packages in their projects, but these packages also target end users of the applications that bundle them.
In essence, this was a typosquatting attack, as it had package names like jqueryoffline, vueofflinez, and jquerydownloadnew, which are variations of popular frameworks and libraries. Attackers are likely to have relied on developers who inadvertently integrated these packages into their applications, and their content reflects that.
Compared to the package in step 1, this new package also contains two files, index.js and index.html, and index.js is declared as the main file in the package.json metadata file. The researchers speculated that the goal in this case was to target JavaScript applications built with tools such as Webpack, which bundle JavaScript files to create local applications that run inside a browser window.
“For application developers who are tricked into adding the jqueryoffline npm package as a dependency instead of the legitimate jquery package, Webpack compiles the necessary code and guarantees the content of the jqueryoffline index.js file specified as the default package. Inside the jqueryoffline package.json file, it ends with the main.js file, which is the entry point for the Webpack bundled application,” the researchers said.
This means that when an end user downloads and runs an application that has been trojanized in this way, it will display a fake Microsoft sign-in page that sends captured credentials to the attacker. This attack phase is similar to another campaign ReversingLabs detected last year. called IconBurst Malicious npm packages are designed to steal sensitive information entered by users in the form displayed on mobile applications and websites.
When using packages from public repositories, software development organizations should be wary of obvious signs that a package may be suspicious. New packages with unusual name variations of well-known frameworks and libraries, low download counts, unusual dependencies, and unusual versioning. Rough history. Using code obfuscation within a package should also be a big red flag.