Malicious Package Discovered in NPM Registry
A malicious package has been found in the NPM registry, which targets infected computers with Windows operating system by deploying a complex Trojan for remote access.
On January 9, 2024, a package called “oscompatible” was published, but it was soon discovered to contain peculiar binary files, according to Phylum company. These files include an executable file, a dynamic library (DLL), an encrypted DAT file, and a JavaScript file.
The JavaScript file, named “Index.js”, executes the Autorun.bat package script after verifying compatibility with the Microsoft Windows operating system.
If the platform is not Windows, an error message is displayed, informing the user that the script can only be launched on Windows Server OS and not on Linux or an unknown operating system.
The script also checks for administrator’s rights and if absent, it launches the legitimate component of Microsoft Edge, “cookie_exporter.exe”, through the PowerShell command.
An attempt to launch a binary file triggers a User Account Control (UAC) request, prompting the user to execute it with administrator privileges.
Following this, the attacker proceeds to launch a DLL (“Msedge.dll”) using the DLL search order hijacking technique.
The compromised version of the library decrypts the DAT file (“Msedge.dat”) and initiates the execution of another DLL (“Msedgedat.dll”), which establishes a connection with the attacker’s controlled domain, “Kdark1 [.] Com”, to retrieve a ZIP archive.
The ZIP file contains software for remote access called Anydesk, as well as a Trojan (Verify.dll) that is capable of receiving instructions from the control server through WebSockets and collecting confidential information from the host.
The Trojan also performs actions such as setting Chrome extensions in Secure Preferences, launching Anydesk, hiding the screen, blocking windows, and intercepting keyboard and mouse events, according to Phylum.
While “Oscompatible” appears to be