2 December 2020

Malicious npm packages caught distributing Bladabindi RAT


Malicious npm packages caught distributing Bladabindi RAT

“Npm” security team removed two malicious npm packages laced with malicious code that delivered the njRAT/Bladabindi Remote Access Trojan on computers of JavaScript and Node.js developers who imported and installed the packages.

The two packages named jdb.js and db-json.js were created by the same author and were posing as the legitimate jdb and db-json libraries. The two packages were downloaded nearly 100 times before they were discovered by researchers at Sonatype.

The analysis of the malicious jdb.js package revealed that it contained three files: package.json (the manifest file), module.js (an obfuscated script), and patch.exe (Windows executable containing the njRAT payload).

The package.json manifest file contained within the package launched module.js as soon as the package was installed. The module.js script is able to perform multiple activities such as reconnaissance of the infected machine and data gathering, and it also launches patch.exe which is an njRAT dropper written in .NET.

“By infecting a host with this malware, a remote attacker gains the ability to log keystrokes, modify registry values, initiate system shutdown or restart at will, edit web browser (IE) start page, “speak” to the user via text-to-speech synthesis (via SAPI.Spvoice), kill or relaunch critical system processes like task manager, system restore, and PING, in addition to taking control of hardware devices like CD drives, monitors, mouse, keyboard, etc,” Sonatype said.

While only jdb.js contained malicious behavior, the researchers said the db-json package is more concerning because it might be harder for a human and a machine to spot immediately.

“The package “db-json.js” appears clean on a first glance as it contains functional code one would expect from a genuine JSON DB creation package. Yet, it is secretly pulling in the malicious “jdb.js” as a dependency,” Sonatype explained.

Web developers who installed any of the two above mentioned packages should consider their systems as fully compromised, the npm security team warned.

“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” the team said. “The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”

Back to the list

Latest Posts

Hackers impersonate WHO, DHL, and vaccine makers to spread malware

Hackers impersonate WHO, DHL, and vaccine makers to spread malware

The attacks target users in organizations located in the United States, Canada, Austria, and Germany.
18 January 2021
EMA: Hackers leaked modified COVID-19 vaccine documents to undermine trust in vaccines

EMA: Hackers leaked modified COVID-19 vaccine documents to undermine trust in vaccines

EMA said that COVID-19 vaccine documents stolen from its servers in a recent cyber attack have been manipulated.
18 January 2021
Joker’s Stash, the largest carding marketplace, will shut down next month

Joker’s Stash, the largest carding marketplace, will shut down next month

The Joker’s Stash operators said that all the data will be wiped out from their servers after February 15th, 2021.
18 January 2021