There has been a supply chain attack against JumpCloud, an IT management company known for cryptocurrency products. This attack targets a small group of its clients. Two weeks after JumpCloud announced that it had been compromised, an investigation by ReversingLabs researchers has revealed that there has also been evidence of malicious npm packages connected to the same infrastructure that targets cryptocurrency providers as well.
Over the past few months, researchers at ReversingLabs have discovered more than two dozen NPM packages that use form data to steal from business processes in a "coordinated supply chain attack." As a dependency installer, Node Package Manager can install dependencies for JavaScript and Node.js runtime environments.
Designers were tricked into downloading malicious packages through typo-squatting, a subtle but intentional misspelling of popular software repositories, in the SolarWinds-style attack dubbed IconBurst.
The researchers report that the supply chain attack was successful, as one malicious NPM package has been downloaded more than 17,000 times out of 100,000 possible downloads. Even though developers used these malicious packages as a launchpad for their attacks, the final targets they targeted were end users' data.
There have been several additional npm packages discovered by ReversingLabs to be linked to the same malicious campaign. ReversingLabs Reverse Engineer, Karlo Zanki, says that one of the components uploaded to the npm project on July 11 has ties to a supply chain attack first identified by Phylum on June 23 that is regarded as a possible precursor to the JumpCloud attack. Phylum identified this attack as a possible precursor to the JumpCloud attack. The Phylum team has since published an additional blog post about this package, as well as other packages in bitcoin-api-node.
A few days after the packages were posted on npm, all of them were removed from the repository - perhaps of their own accord. There could be a reason behind that, for example, to help reduce the likelihood of their malicious npm packages being detected once they are successful in getting them to be integrated into target applications or environments.
The Popular NPM Packages are Type-Squatted
ReversingLabs have discovered that malicious NPM packages are being distributed by the threat actors as legitimate JavaScript libraries disguised as malicious NPM packages. It is believed that they exploited the typo-squatting technique, which uses common misspellings in fair packages to trick developers into installing malware-infected libraries. The attackers targeted high-traffic NPM packages, such as the popular Umbrellajs JavaScript library for manipulating document object models (DOM), which was used by most users.
As Zanki reports, the npm-audit [dot] com domain is being used for communication between the btc-api-node package and the npm site. As part of a GitHub alert issued on July 18, a domain was named that was used as part of the command and control infrastructure for malicious packages used in the JumpCloud attack, which was identified as a part of the command and control infrastructure for those malicious packages. GitHub warned of a low-volume social engineering attack targeting the personal accounts of employees of tech companies.
GitHub has identified both the npmaudit.com domain as an indication of compromise (IOC) as well as domains specifically identified as indicators of compromise by Phylum in its June alert as malicious domains.
There seems to be a mixture of high-touch and low-touch campaigns in the supply chain attacks being discussed, just like the Operation Brainleeches npm compromise reported a few weeks ago.
The attackers in some cases made very hardly any effort to make it appear as if the malicious packages that they inserted were legitimate. Nevertheless, other cases have happened where attackers put more effort into convincing would-be developers that the malicious packages looked more trustworthy to them than actual malicious packages.
As part of Zanki's efforts, he modified the package metadata and added legitimate npm user accounts to the package authorship for the package(s), he explained.
Before this posting, the Bitcoin API Node package btc-api-node was no longer available to install.
The researchers at ReversingLabs, however, already concluded that with this package still available, it had a lot in common with a legitimate npm module called bitfinex-api-node, which as described by its developer is a reference implementation of the Bitfinex API for Node. JS. With this API, users can interact with some of the Bitcoin exchanges that offer services through Bitfinex.
Upon execution of the BTC-API-node package, the post-install script starts index.js via the BTC-API-node package. There are values in the index.js file that are encoded in B64, so the values are encrypted. It sets environment variables to be ignored during SSL/TLS verification on a system running the package.
According to Phylum's analysis of the subject matter, that could be an attempt to force HTTP requests to be made within corporate networks that have implemented their root certificates. This could be done by using proxy servers instead of relying on external public key infrastructure.
This package also creates a folder on the system where it is installed. Once the folder is created, a file will be downloaded from hxxps://npmaudit.com/api/v4/init and stored in that directory. In the package named .electron, the folder names seem to vary depending on the package, however, the directory and subdirectory within the package is .electron.
It is a file that acts as a token on a compromised system that signifies the presence of stage 2 malware on the compromised system and that the system is open to receiving the malware without being detected (Phylum has provided a list of them in their analysis.)
Campaign to exfiltrate data aggressively
It has been found that malicious NPM packages are meant to harvest sensitive information from mobile applications and websites embedded with forms that collect sensitive data. To begin with, the threat actors opted to follow a conservative approach when it came to the exfiltration of the data from web pages. The NPM packages that are injected with malicious code have become more aggressively aggressive in their approach to extracting data.
ReversingLabs warns that most software development companies are unable to detect unauthorized code hidden within open-source libraries. It was as a result of this investigation that ReversingLabs researchers reported to the NPM security team to remove the malicious NPM repositories.
This ensures the software supply chain remains secure. To further assist organizations to identify possible malicious packages in their applications, the authors have also published a list of indicators of compromise (IoCs), including exfiltration domains, to be used to identify instances of compromise.
Taking Action in response to the Threat
JumpCloud's analysis shows that there was only a small scope of the supply chain attack on that organization - just a small number of accounts that were associated with the cryptocurrency industry, by JumpCloud's attribution - relative to the scope of the attack.
Although the attack lasted longer than the last time, it suggests that other organizations could have been targeted.
This is due to the more significant number of malicious packages and the extended timeline. Furthermore, the malicious actors responsible for the attacks have taken steps to minimize exposure to the public. This includes quickly removing the offending packages from the NPM repository.
