2 December 2020

Malicious npm packages caught distributing Bladabindi RAT


Malicious npm packages caught distributing Bladabindi RAT

“Npm” security team removed two malicious npm packages laced with malicious code that delivered the njRAT/Bladabindi Remote Access Trojan on computers of JavaScript and Node.js developers who imported and installed the packages.

The two packages named jdb.js and db-json.js were created by the same author and were posing as the legitimate jdb and db-json libraries. The two packages were downloaded nearly 100 times before they were discovered by researchers at Sonatype.

The analysis of the malicious jdb.js package revealed that it contained three files: package.json (the manifest file), module.js (an obfuscated script), and patch.exe (Windows executable containing the njRAT payload).

The package.json manifest file contained within the package launched module.js as soon as the package was installed. The module.js script is able to perform multiple activities such as reconnaissance of the infected machine and data gathering, and it also launches patch.exe which is an njRAT dropper written in .NET.

“By infecting a host with this malware, a remote attacker gains the ability to log keystrokes, modify registry values, initiate system shutdown or restart at will, edit web browser (IE) start page, “speak” to the user via text-to-speech synthesis (via SAPI.Spvoice), kill or relaunch critical system processes like task manager, system restore, and PING, in addition to taking control of hardware devices like CD drives, monitors, mouse, keyboard, etc,” Sonatype said.

While only jdb.js contained malicious behavior, the researchers said the db-json package is more concerning because it might be harder for a human and a machine to spot immediately.

“The package “db-json.js” appears clean on a first glance as it contains functional code one would expect from a genuine JSON DB creation package. Yet, it is secretly pulling in the malicious “jdb.js” as a dependency,” Sonatype explained.

Web developers who installed any of the two above mentioned packages should consider their systems as fully compromised, the npm security team warned.

“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” the team said. “The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”

Back to the list

Latest Posts

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024
Sophisticated malware campaign targeting end-of-life routers and IoT devices

Sophisticated malware campaign targeting end-of-life routers and IoT devices

A recent campaign targeted over 6,000 ASUS routers in less than 72 hours.
27 March 2024
Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

Chinese APT groups target Southeast Asian nations in cyberespionage campaigns

The observed cyberattack employed phishing emails as the primary method of infiltration.
27 March 2024