Cybersecurity experts have found a new suspicious package posted to the npm package registry that's meant to deploy a remote access trojan (RAT) on affected PCs.
The package in question is glup-debugger-log, which targets users of the gulp toolkit by posing as a "logger for gulp and gulp plugins." It has been downloaded 175 times to far.
Software supply chain security company Phylum, which detected the package, claimed the package comes packed with two obfuscated files that operate in concert to distribute the dangerous payload.
"One worked as a kind of initial dropper setting the stage for the malware campaign by compromising the target machine if it met certain requirements, then downloading additional malware components, and the other script providing the attacker with a persistent remote access mechanism to control the compromised machine," it said.
Phylum's deeper study of the library's package.json file – which works as a manifest file summarizing all information connected with a package – uncovered the usage of a test script to launch a JavaScript file ("index.js") that, in turn, calls an obfuscated JavaScript file ("play.js").
The second JavaScript file works as a dropper to download next-stage malware, but not before conducting a series of checks for network interfaces, particular kinds of Windows operating systems (Windows NT), and, in an interesting twist, the amount of folders in the Desktop folder.
"They check to ensure that the Desktop folder of the machine's home directory contains seven or more items," Phylum stated.
"At first look, this may appear insanely random, but it's probable that this is a type of user activity indication or a technique to prevent deployment on regulated or managed settings like VMs or brand new installs. It seems the attacker is targeting active developer computers."
Assuming all the tests go through, it starts another JavaScript defined in the package.json file ("play-safe.js") to set up persistence. The loader also packs in the functionality to execute arbitrary instructions from a URL or a local file.
The "play-safe.js" code, for its part, builds an HTTP server and waits on port 3004 for incoming instructions, which are subsequently performed. The server provides the command output back to the client in the form of a plaintext response.
Phylum regarded the RAT as both primitive and smart, due to its low functionality, self-contained nature, and its focus on obfuscation to resist investigation.
"It continues to highlight the ever-evolving landscape of malware development in the open source ecosystems, where attackers are employing new and clever techniques in an attempt to create compact, efficient, and stealthy malware they hope can evade detection while still possessing powerful capabilities," the company said.
