Popular NPM library hijacked to install password-stealers, miners


Hackers hijacked the favored UA-Parser-JS NPM library, with thousands and thousands of downloads every week, to contaminate Linux and Home windows gadgets with cryptominers and password-stealing trojans in a supply-chain assault.

The UA-Parser-JS library is used to parse a browser’s consumer agent to establish a customer’s browser, engine, OS, CPU, and Gadget kind/mannequin.

The library is immensely well-liked, with thousands and thousands of downloads every week and over 24 million downloads this month thus far. As well as, the library is utilized in over a thousand different initiatives, together with these by Fb, Microsoft, Amazon, Instagram, Google, Slack, Mozilla, Discord, Elastic, Intuit, Reddit, and many more well-known companies.

UA-Parser-JS downloaded millions of times per week
UA-Parser-JS downloaded thousands and thousands of instances per week
Supply: NPM-stat.com

UA-Parser-JS challenge hijacked to put in malware

On October twenty second, a risk actor revealed malicious variations of the UA-Parser-JS NPM library to put in cryptominers and password-stealing trojans on Linux and Home windows gadgets.

In accordance with the developer, his NPM account was hijacked and used to deploy the three malicious variations of the library.

“I observed one thing uncommon when my e-mail was instantly flooded by spams from a whole lot of internet sites (perhaps so I do not understand one thing was up, fortunately the impact is kind of the opposite),” defined Faisal Salman, the developer of UA-Parser-JS, in a bug report.

“I consider somebody was hijacking my npm account and revealed some compromised packages ( which can most likely set up malware as will be seen from the diff right here: https://app.renovatebot.com/package-diff?name=ua-parser-js&from=0.7.28&to=1.0.0.”

The affected variations and their patched counterparts are:

Malicious model Mounted model
0.7.29 0.7.30
0.8.0 0.8.1
1.0.0 1.0.1

From copies of the malicious NPMs shared with BleepingComputer by Sonatype, we will higher perceive the assault.

When the compromised packages are put in on a consumer’s machine, a preinstall.js script will test the kind of working system used on the machine and both launch a Linux shell script or a Home windows batch file.

preinstall.js script used to check operating system type
preinstall.js script used to test working system kind

If the package deal is on a Linux machine, a preinstall.sh script might be executed to test if the consumer is situated in Russia, Ukraine, Belarus, and Kazakhstan. If the machine shouldn’t be situated in these international locations, the script will obtain the jsextension [VirusTotal] program from 159[.]148[.]186[.]228 and execute it.

The jsextension program is an XMRig Monero miner, which can use solely 50% of the machine’s CPU to keep away from being simply detected.

Linux shell script to install the miner
Linux shell script to put in the miner

For Home windows gadgets, the batch file can even obtain the XMRig Monero cryptominer and put it aside as jsextension.exe [VirusTotal] and execute it. As well as, the batch file will obtain an sdd.dll file [VirusTotal] from citationsherbe[.]at and save it as create.dll.

Windows batch file to install the cryptominer
Home windows batch file to put in the cryptominer

The downloaded DLL is a password-stealing trojan (presumably DanaBot) that may try to steal the passwords saved on the machine.

When the DLL is loaded utilizing the regsvr32.exe -s create.dll command, it’s going to try to steal passwords for all kinds of applications, together with FTP purchasers, VNC, messaging software program, e-mail purchasers, and browsers.

An inventory of focused applications will be discovered within the desk beneath.

WinVNC Firefox FTP Management
Display Saver 9x Apple Safari NetDrive
PC Distant Management Distant Desktop Connection Becky
ASP.NET Account Cisco VPN Consumer The Bat!
FreeCall GetRight Outlook
Vypress Auvis FlashGet/JetCar Eudora
CamFrog FAR Supervisor FTP Gmail Notifier
Win9x NetCache Home windows/Whole Commander Mail.Ru Agent
ICQ2003/Lite WS_FTP IncrediMail
“&RQ, R&Q” CuteFTP Group Mail Free
Yahoo! Messenger FlashFXP PocoMail
Digsby FileZilla Forte Agent
Odigo FTP Commander Scribe
IM2/Messenger 2 BulletProof FTP Consumer POP Peeper
Google Speak SmartFTP Mail Commander
Faim TurboFTP Home windows Dwell Mail
MySpaceIM FFFTP Mozilla Thunderbird
MSN Messenger CoffeeCup FTP SeaMonkey
Home windows Dwell Messenger Core FTP Flock
Paltalk FTP Explorer Obtain Grasp
Excite Non-public Messenger Frigate3 FTP Web Obtain Accelerator
Gizmo Venture SecureFX IEWebCert
AIM Professional UltraFXP IEAutoCompletePWs
Pandion FTPRush VPN Accounts
Trillian Astra WebSitePublisher Miranda
888Poker BitKinex GAIM
FullTiltPoker ExpanDrive Pidgin
PokerStars Basic FTP QIP.On-line
TitanPoker Fling JAJC
PartyPoker SoftX FTP Consumer WebCred
CakePoker Listing Opus Home windows Credentials
UBPoker FTP Uploader MuxaSoft Dialer
EType Dialer FreeFTP/DirectFTP FlexibleSoft Dialer
RAS Passwords LeapFTP Dialer Queen
Web Explorer WinSCP VDialer
Chrome 32bit FTP Superior Dialer
Opera WebDrive Home windows RAS

Along with stealing passwords from the above applications, the DLL will execute a PowerShell script to steal passwords from the Home windows credential supervisor, as proven beneath.

Stealing stored passwords from Windows
Stealing saved passwords from Home windows

This assault seems to have been performed by the identical risk actor behind different malicious NPM libraries found this week.

Researchers from open-source safety agency Sonatype discovered three malicious NPM libraries used to deploy cryptominers on Linux and Home windows gadgets in an virtually equivalent method.

What ought to UA-Parser-JS customers do?

Because of the widespread impression of this supply-chain assault, it’s strongly suggested that every one customers of the UA-Parser-JS library test their initiatives for malicious software program.

This contains checking for the existence of both jsextension.exe (Home windows) or jsextension (Linux) and deleting them if they’re discovered.

For Home windows customers, you must scan your machine for a create.dll file and delete it instantly.

Whereas solely Home windows was contaminated with a password-stealing Trojan, it’s sensible for Linux customers to additionally assume their machine was totally compromised.

Because of this, all contaminated Linux and Home windows customers must also change their passwords, keys, and refresh tokens, as they had been doubtless compromised and despatched to the risk actor.

Whereas altering your passwords and entry tokens will doubtless be an enormous endeavor, by not doing so, the risk actor can compromise different accounts, together with any initiatives you develop for additional supply-chain assaults.

Leave a Reply