Iconburst's most recent attack is described as a massive and well-planned effort to spread malicious Javascript packages distributed through the open-source NPM package system.
Upon further analysis, evidence of a planned supply chain assault was found, with numerous NPM packages containing jQuery scripts created to steal data from deployed apps that use them, as per researchers.
ReversingLabs noted that the malicious packages we identified are probably used by hundreds or thousands of downstream mobile and desktop programs as well as websites, even if the full scope of this assault is still unknown. In one instance, malicious software had been downloaded more than 17,000 times.
Obfuscation used
The firm said that its analysis of the modules had found signs of coordination, with malicious modules linked to a select group of NPM publishers and recurrent patterns in the infrastructure that supported them, such as unencrypted domains.
“The revelation of a javascript obfuscator was the first trigger for our team to examine a broad variety of NPM packages, the majority of which had been released within the previous two months and utilized the stated obfuscator. It revealed more than 20 NPM packages in total. When these NPM modules are examined in greater detail, it becomes clear that they are associated with one of a small number of NPM accounts with names like ionic-io, arpanrizki, kbrstore, and aselole,” according to ReversingLabs.
Meanwhile, Checkmarx said, "Roughly a thousand unique user accounts released over 1200 NPM packages to the registry, which we found. Automation was used, which allowed for the successful completion of the NPM 2FA challenge. At this moment, this collection of packages appears to be a part of an attacker's testing."
Obfuscated malware data theft
The de-obfuscated examples underwent a thorough analysis, which showed that every one of them collects form data using jQuery Ajax methods and subsequently exploits that data to different domains controlled by malevolent writers.
To exfiltrate serialized form data to domains under the attacker's control, the malicious packages employ a modified script that extends the functionality of the jQuery ajax() function. The function verifies the URL content before transmitting the data to carry out target filtering checks.
Attack on supply chain
The NPM modules which ReversingLabs found have been downloaded more than 27,000 times in total. The attacks occurred for months before coming to attention because very few development firms can identify malicious software within open source libraries and modules.
"It is certain from the report of this study that software development businesses and their clients both require new tools and procedures for evaluating supply chain risks, such as those posed by these malicious NPM packages," researchers told.
"Applications and services are only as secure as their weakest component due to the decentralized and modular nature of application development. The attack's success—more than two dozen malicious modules were made available for download on a well-known package repository, and one of them received 17,000 downloads in just a few weeks—underscores the lax standards for application development and the low barriers that prevent malicious or even vulnerable code from exploiting IT environments and sensitive applications," ReversingLabs further added.
