BetaIT-Hub is in early access — your feedback helps us improve. Use the chat or email [email protected]

News Vulnerability
VulnerabilitySANS ISC·13d ago

Cross-Platform NPM Stealer, (Fri, May 22nd)

I found a Node.js stealer that looked pretty well obfuscated. The file was not running out-of-the-box because it was uploaded on VT as extracted-decoded.js (and reformated). The SHA256 is 049300aa5dd774d6c984779a0570f59610399c71864b5d5c2605906db46ddeb9[ 1 ]. It did not run properly in a sandbox so only a static analysis was performed. The key point is that it is a cross-platform stealer targeting Windows (WSL), macOS and Linux. Good news for us, only the wrapper that is responsible for the execution is obfuscated but the malicious payloads are embedded in plain text! The obfuscation technique looks typical to the code produced by obfuscation.io[ 2 ]. We are facing a very long array of small Base64-encoded strings: function c() { const t8 = [ W54gaGuj , pSkByhzh , WRT/WPThyG , CSomW6OXWQG , WO7dIuVcTaq , AYb2Axm , WPT3WPJdLmkS , WPTNeuWa , hCkIW64XW7C , W47cM0tcObS , WPKbWOKfW74 , W6JdNCkDWRe+ , W53dLuxcP3u , WRTUc8ocW4W , ysiSica , wCo4oser , tSkAW5v3ca , W54XaKvz , W7nTe8ooW7a , W4BcSSo/FLi , W6HvW7i+FG , W5iBabul , F8oQW4JcVCku , W5ldPCkKbcy , W6ddQcdcNq0 , Aw5Niha , Dcy9W5dcVq , C8o/eqBcHW , id0GBMu , W5FcISkyW4FcJG , WR1ieSotW4y , wSoqq8o1da , B3jKvMe , icDmB2m , uSkgW4qZiq , WO7cMSkoW7zX , W5HxW6OnW7S , W4SBWRHwW7e , zwa3W5dcOG , W4PCW79DW6a , omkrngXB , xmkVCWeJ , nCoEWQ1WWR0 , WRNcH3vwCG , W7lcTSoUCq8 , rM9sWR/cPW , W4ZcKbxcUIC , DgGGDg8 , WR7dK8kpWROP , fmo7j1et , id09psa , vSo4Cx4n , iIWImJq , WRrixrpcJq , u29JA2u , ve9swsW , WRBdHH3dUa0 , W5RcKLpdTuW , u3ruyKK , WOVcLSowW4RcPG , BwuGzgK , ugf0AdO , W63cJ3Kmaa , WPVdRCk1bti , DwrVige , C8k2WQxcTh0 , igvUDhi , tmkSl1Ld , qqvnW4pcMa , WPNdGahdO0i , nmkQWRNdPNa , WQD8qmodW6G , W4NdK8oBW5pdQq , quFcOmoQWRe , Cbyarmkq , tmkoWQHU , ewb8W4eF , vcCOWOPc , WRtdQc3dIrW , WQXIrSoqW5q , kcDqCM8 , imkUWQtcPxC , bmooW7q6hW , ... Other small functions are low-level decoders that perform a lot of arithmetic operations. There are three main payloads that all have their own purpose: The first one is a browser credential stealer. It supports: Chrome, Brave, Edge, Opera, Opera GX, Vivaldi, Kiwi, Yandex, Iridium, Comodo Dragon, SRWare Iron, Chromium, AVG Browser. const localAppDataBase = `/mnt/c/Users/${windowsUsername}/AppData/Local`; const browserRelativePaths = [ Google/Chrome/User Data , // Chrome BraveSoftware/Brave-Browser/User Data , // Brave AVG Browser/User Data , // AVG Browser Microsoft/Edge/User Data , // Edge Opera Software/Opera Stable , // Opera Opera Software/Opera GX , // Opera GX Vivaldi/User Data , // Vivaldi Kiwi Browser/User Data , // Kiwi Yandex/YandexBrowser/User Data , // Yandex Iridium/User Data , // Iridium Comodo/Dragon/User Data , // Comodo SRWare Iron/User Data , // SRWare Chromium/User Data // Chromium\n ]; The malware also looks for interesting wallet Chrome extensions: const wps = [ nkbihfbeogaeaoehlefnkodbefgpgknn , ejbalbakoplchlghecdalmeeeajnimhm , acmacodkjbdgmoleebolmdjonilkdbch , bfnaelmomeimhlpmgjnjophhpkkoljpa , ibnejdfjmmkpcnlpebklmnkoeoihofec , egjidjbpglichdcondbcbd

Sign in to read the full article

Create a free account to access all news, downloads, and community features

Sign inCreate account

Originally published by SANS ISC

Source: https://isc.sans.edu/diary/rss/33006

This article is shared for informational purposes. All rights belong to the original author and publisher. If you are the copyright holder and would like this content removed, please contact us.

Shared on IT-Hub by admin