Attackers open a reverse shell: This payload is a reverse shell that uses the ssh2 client functionality from the original ethers-provider2 to establish an SSH connection to an attacker-controlled server. The ethers-provider2 ssh client code is modified to listen to certain messages from the server and turn into a reverse shell, meaning the server can send commands to the client in order for them to be executed locally on the victim machine that is acting as a remote shell for the attackers.The ethers-providerz package is very similar to ethers-provider2, but earlier versions reveal the attackers experimented with different approaches until landing on the current implementation. For example, in that version the attackers tried to patch files from a package called @ethersproject/providers.Also, the additional file loader.js that contains the download code for the third-stage payload is created in the node_modules folder, where usually all npm packages reside. The interesting part is that there is a legitimate npm package called loader.js that has over 24 million downloads and 5,200 dependent applications. If this package is already present locally, the malware will patch it. If it’s not, it will impersonate it.”While not as common as infostealers on the npm platform, downloaders are far from uncommon and are frequently encountered,” the ReversingLabs researchers said. “However, this downloader is notable because of the exceptional strategies employed by the attackers to hide the malicious payload it delivered. These evasive techniques were more thorough and effective than we have observed in npm-based downloaders before.”
Detection and mitigation: The problem is if the ethers-providerz and ethers-provider2 packages are removed, the malicious functionality they injected into the legitimate ethers package would still remain. Because of this, the ReversingLabs researchers created a YARA scanning rule that can help security teams and developers check if the locally installed instance of the ethers package has malicious code injected into it.Moreover, after completing their initial research, additional packages have been found that were likely connected to the same malicious campaign: reproduction-hardhat and @theoretical123/providers. While all of these packages have been removed from npm, they need to be removed from local installations as well if they were ever deployed.The ReversingLabs team has published a list of indicators of compromise, such as file hashes for the different versions of these malicious packages, which can help security teams create scanning rules.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3855530/malicious-npm-packages-found-to-create-a-backdoor-in-legitimate-code.html
