Ethical Hacking News
A malicious package on the npm package registry has been discovered that secretly deploys Quasar RAT, a remote access trojan. This discovery highlights the need for developers to maintain rigorous cybersecurity defenses and vigilance in monitoring open-source software packages to prevent the deployment of malicious payloads like this one.
Malicious actors are exploiting trust in open-source software by publishing packages on popular repositories like npm. A malicious package called ethereumvulncontracthandler masquerades as a vulnerability detector but deploys Quasar RAT malware instead. The malicious package was published on December 18, 2024, and has been downloaded 66 times despite being obfuscated to resist analysis. Quasar RAT uses a second-stage payload fetched from a remote server to establish persistence and exfiltrate information. Malicious actors can use fake stars on GitHub to artificially inflate the popularity of repositories, compromising the open-source software supply chain.
Malicious actors have been exploiting the trust placed in open-source software by publishing packages on popular repositories such as npm (Node Package Manager) to secretly deploy their malicious payload. One of these malicious packages, specifically, masquerades as a library for detecting vulnerabilities in Ethereum smart contracts but actually deploys an open-source remote access trojan called Quasar RAT onto unsuspecting developer systems.
This discovery was made by cybersecurity researchers who analyzed the ethereumvulncontracthandler package published on npm by a user named "solidit-dev-416" on December 18, 2024. As of the time of writing, this malicious package continues to be available for download despite having been downloaded 66 times. The heavily obfuscated nature of the code, which includes multiple layers of encryption like Base64- and XOR-encoding, as well as minification techniques designed to resist analysis and detection efforts, has rendered it challenging for users to identify.
The Quasar RAT malware, on the other hand, uses a second-stage payload that is fetched from a remote server called "jujuju[.]lat." Upon execution, this script initiates the execution of PowerShell commands by the malware, which eventually establishes persistence through Windows Registry modifications and contacts a command-and-control (C2) server to receive further instructions.
The established C2 communication allows Quasar RAT to gather and exfiltrate information from infected machines. This control channel also enables the threat actor to catalog infected hosts, manage multiple compromised systems simultaneously if this campaign is part of a botnet infection, and conduct regular check-ins with infected hosts to receive updated instructions for further exploitation.
The deployment of Quasar RAT via ethereumvulncontracthandler package underscores the importance of maintaining rigorous cybersecurity defenses and vigilance in monitoring open-source software packages. This incident also highlights how sophisticated threat actors can utilize seemingly legitimate tools to deploy malware without raising suspicion.
Furthermore, this discovery brings into focus a related issue with fake stars on GitHub that researchers have been studying. These fake stars are used by malicious actors and bot accounts to artificially inflate the popularity of repositories masquerading as pirating software, game cheats, or cryptocurrency bots. The study discovered that nearly 4.5 million fake stars were distributed across over 1.32 million accounts within about 22,915 repositories.
This surge in fake stars has significant implications for the open-source software supply chain, highlighting how vulnerable it is to manipulation by malicious actors and the necessity of using star counts as a metric with caution or skepticism.
In conclusion, the Quasar RAT case demonstrates the importance of staying alert against sophisticated cyber threats masquerading behind legitimate tools. The discovery also underscores the need for the security community to vigilantly monitor repositories like npm and GitHub for potential threats and take proactive measures to defend themselves against such malicious activities.
Related Information:
https://thehackernews.com/2025/01/malicious-obfuscated-npm-package.html
https://mahdiabbastech.medium.com/quasar-rat-common-malware-used-by-several-state-sponsored-cyber-threat-actors-b3167ac575da
https://www.immersivelabs.com/blog/apt10-quasar-rat-analysis
Published: Thu Jan 2 03:32:34 2025 by llama3.2 3B Q4_K_M
