Massive threat campaign strikes open-source repos, Sonatype spots new CursedGrabber malware

Sonatype’s deep dive research allowed to identify a new family of Discord malware called CursedGrabber.

Sonatype has discovered more malware in the npm registry which, following our analysis and multiple cyber threat intelligence reports, has led to the discovery of a novel and large scale malware campaign leveraging the open-source ecosystem.

The malware called “xpc.js” was spotted on Friday by our Nexus Intelligence research service which includes next generation machine learning algorithms that automatically detect potentially malicious activity associated with open source ecosystems.

This follows on the heels of last week’s news when Sonatype’s Nexus Intelligence engine and it’s release integrity algorithm discovered discord.dll: the successor to “fallguys” malware and 3 other components. Since launching Release Integrity out of beta on Oct. 7 this year, our Nexus Intelligence service has discovered five malicious components. 

It is worth noting xpc.js was published to npm by the same author luminate_ aka Luminate-D who is also behind additional malware discovered last week: discord.dll, discord.app, wsbd.js, and ac-addon.

Sonatype’s deep dive research analysis has concluded both “xpc.js” and malicious components identified last week are part of a newly identified family of Discord malware called CursedGrabber.

What is xpc.js and what does it do?

xpc.js is not a JavaScript file but the name of the malicious npm component itself.

The component exists as a tar.gz (tgz) archive with just one version 6.6.6 (likely a pun) and was published to npm registry around November 11, 2020.

xpc.js has scored just under a 100 downloads as Sonatype discovered it almost immediately after the author published it. 

The NodeJS files it includes have a very similar structure to malware reported by Sonatype last week: discord.app, wsbd.js and ac-addon. 

Sonatype security researcher Sebastián Castro who analyzed xpc.js explains:

“The malware targets Windows hosts. It contains two EXE files which are invoked and executed via ‘postinstall’ scripts from the manifest file, ‘package.json’.”

The manifest file package.json contained within “xpc.js”

The npm component’s manifest file launches lib.js which has just two lines of code, shown below. This is where the EXEs that Castro refers to are invoked.

require(‘child_process’).exec(‘lib.exe’);

require(‘child_process’).exec(‘lib2.exe’);

The  “lib.exe” and “lib2.exe” bundled within the “xpc.js” package itself are Discord information stealing malware written in C# and compressed together with Fody-Costura. 

“These two PE32 files were forged with Fody-Costura,” states Castro.

Both executables have references to, or rather assert they are based on “CursedGrabber” information stealing Discord malware.

• Lib.exeMuch like other Discord malware, lib.exe reads roaming user profiles from multiple web browsers along with Discord leveldb files, steals Discord Tokens, and sends user data via a webhook to the attacker.
  
  It is worth noting, at the time of writing the webhook used by lib.exe is still active and a potential Indicator of Compromise (IOC) to watch out for:
  
  https://discordapp[.]com/api/webhooks/769943162193707098/jacVRUcz9zBrsstbdIzhzGoRCvfbz3J9BOk8bV5UA_DpUKMtEW3KULQA2q2mBMqjmmsh

Image: Discord webhook used by lib.exe still up and running

“lib.exe” was also caught mapping user’s payment card details and billing information, in addition to other sensitive data.

Lib.exe retrieving payment information in addition to Discord tokens and web browser files

In our tests, we noticed lib.exe was stealthy. For example, in certain VM environments it would not perform its malicious activities until after a few minutes had elapsed, to evade analysis by bots and researchers alike.

• lib2.exe is a dropper that downloads yet another file, a malicious ZIP archive whose name/location is provided by a hardcoded webhook.
  
  Once again, the Discord webhook is up and running at the time of writing:
  https://discord[.]com/api/webhooks/770716126988599316/o7GXYebuPQzx7RQFUD4cTOPMq2gGicypOMyNpFVQsIb9qyVW2bgZ4MMT6c7jvGEDO5Y6
  
  The archive “lib2.exe” downloads and unzips a Discord attachment called: bundle-5.0.5.zip.

This archive contains 34 DLLs, and 2 EXEs.

The EXEs are launched automatically by lib2.exe itself as shown by the process tree below. These include “osloader.exe” and “winresume.exe”

lib2.exe is a dropper which downloads and unzips an archive and further spins up osloader.exe and eventually winresume.exe

The winresume binary is a tainted version of the legitimate winresume.exe application that helps Windows computers resume after periods of hibernation. Again, this is part of malware’s evasive tactics to forge legitimate binaries with malicious code.

Here’s how the malware execution sequence would appear to a Windows user:

The “Windows NT is not supported” message shown in the screenshot, however, is a false error thrown by the malware in an attempt to fool both antivirus products and the end-user.

“The malware dropped by lib2.exe contains advanced, multiple capabilities, such as, privilege escalation, keylogging, taking screenshots, planting backdoors, accessing webcam, etc.,” explains Castro.

We also noticed the backdoor spun up by the CursedGrabber malware had a REST API running on port 20202 on an infected machine for easy command-and-control (C2) access:

Low detection rate

A worrisome finding is some crucial binaries contained in this malware have a low detection rate:

For example, osloader.exe that fires up a bunch of malicious processes had such a low detection rate on VirusTotal that just about 2% antivirus engines today would be able to spot it:

Likewise, Backdoor.dll and BackdoorApi.dll binaries tainted with CursedGrabber have zero or low detection rates too.

All Discord malware identified thus far, both by Sonatype and external members of the security community execute nearly the same tasks: steal Discord tokens and sensitive user data.

And yet, there are differences in virtually every single Discord malware sample—including samples created by the same author to perform identical tasks. 

For example, the npm author ~luminate_ who had published discord.app, wsbd.js, ac-addon, and finally this xpc.js has made each of these packages drop a different CursedGrabber strand.

The dropped binaries perform nearly identical tasks—some to a greater degree than others, but the differences between them seem intentional, to make detection harder.

More Discord malware to strike open-source ecosystem

The timing of Sonatype’s discovery of npm malware last week, including the latest xpc.js npm component of the CursedGrabber malware family roughly coincides with Netskope’s discovery of TroubleGrabber Discord malware family which spreads via GitHub.

TroubleGrabber, which leverages GitHub to spread, is based off of yet another C# Discord malware AnarchyGrabber. It comprises around 2,000 file hashes and over 700 Discord addresses, making detection increasingly challenging by the day.

In our recent state of the software supply chain report, we documented a 430% increase in malicious code injection within OSS projects – or next-gen software supply chain attacks, and this isn’t the first time we have seen attacks including counterfeit components. 

Discovery of yet another family of counterfeit components, especially after “Discord.dll” malware had already made headlines, speaks to the damage that is possible to your software supply chain if adequate protections are not in place.

Sonatype is tracking CursedGrabber malware including npm’s xpc.js as Sonatype-2020-1096, Sonatype-2020-1097, and Sonatype-2020-1109.

More Sonatype identifiers may be assigned as more samples in the wild are identified.

Timeline:

Sonatype’s timeline related to the malicious package’s discovery and reporting is as follows:

• November 9th, 2020: Suspicious package `wsbd.js` is picked up by our automated malware detection system. While manually analyzing the package, 3 other packages that seem suspicious are revealed lurking in ~luminate_’s npm portfolio.
  
  Although suspicious components can be automatically quarantined, our Security Research team immediately adds the packages to our data assigning them identifiers: sonatype-2020-1096,  sonatype-2020-1097.
  
• November 9th, 2020: npm team is notified the same day of malicious packages, and public disclosure is made via blog post. Npm team shortly removes all 4 malicious packages.
  
• November 11th-12th, 2020: Roughly 2 days later, ~luminate_ publishes “xpc.js”
  
• November 13th, 2020: This new “xpc.js” malware is yet again picked up by our automated malware detection system. It is entered into our data as Sonatype-2020-1109 and the npm team is simultaneously identified. Malware is taken down by npm within a few hours of our report.
• November 16th, 2020: Full public disclosure on CursedGrabber

Based on the visibility we have, no Sonatype customers have downloaded “xpc.js” and our customers remain protected against counterfeit components like CursedGrabber.

Sonatype’s world-class open source intelligence, which includes our automated malware detection technology, safeguards your developers, customers, and software supply chains from infections like these.

If you’re not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype’s free Nexus Vulnerability Scanner to find out quickly.

Visit the Nexus Intelligence Insights page for a deep dive into other vulnerabilities like this one or subscribe to automatically receive Nexus Intelligence Insights hot off the press.

Indicators of Compromise (IoCs) are available in the original report published by Ax Sharma:

https://blog.sonatype.com/npm-malware-xpc.js

About the author: Ax Sharma

Endorsed an Exceptional Talent (‘a recognized leader’) in technology by the British Government, Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets like Fortune, The Register, TechRepublic, CSO Online, BleepingComputer, etc. Ax’s expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CursedGrabber malware)

[adrotate banner=”5″]

[adrotate banner=”13″]