Key Points
Introduction
Developers in the cryptocurrency sphere are being targeted once again, as yet another threat actor has been exposed. This user has been publishing malicious NPM packages with the purpose of exfiltrating sensitive data such as source code and configuration files from the victim’s machines.
The threat actor behind this campaign has been linked to malicious activity dating back to 2021. Since then, they have continuously published malicious code.
The latest batch of activity occurred in August, and was published by Phylum.
In this report, we will show new packages and IOCs related to this attacker. It's important to note that we don't just have a malicious package problem; we have an adversary problem. Only by learning attacker tactics, techniques, and procedures (TTPs), can we set up proper defenses against future attacks.
A Deep Dive Into Code
Each of the official packages used by this threat actor was designed to execute automatically upon installation. Each package contained three files - package.json, preinstall.js, and index.js. The attack flow is as follows:
The packages are tied to the cryptocurrency domain further solidifying their financial motives, with clear references to entities like CryptoRocket and Binarium.
Hunting down "lexi2" activity
A deeper investigation revealed a consistent metadata attribute: the "author" field in the package.json file citing "lexi2" as the author"lexi2" as the author.
Maintaining a comprehensive data pool of all open-source packages that span different open-source repositories is critical to understanding not only the attacker, but also their evolving Tactics, Techniques, and Procedures (TTPs). Leveraging this resource, we cross-referenced "lexi2" and other code-specific attributes against dozens of additional malicious packages within our database. Our database analysis indicated that "lexi2" has been associated with malicious packages dating as far back as 2021
Addressing the Adversary Problem
We need to understand that when dealing with threat actors and especially APTs, just reporting and removing packages won’t be enough to stop them, we need as an industry to move up the “Pyramid of pain” to stop APT attackers.
We have developed a YARA rule to aid in identifying, and preventing, the execution of the malicious scripts used in this infostealer campaign.
This rule, along with a continuously updated collection of threat detection signatures, can be found in our repository at os-scar/yara-signatures.
Conclusion
The cryptocurrency sector remains a hot target, and it's important to recognize that we're not just grappling with malicious packages ,but also persistent adversaries whose continuous and meticulously planned attacks date back months or even years.
Reactive countermeasures of deleting the most recent batch of malicious packages offer only temporary relief and don't get to the root of the problem. Protection against these unrelenting threats requires a more sophisticated strategy.
Sharing metadata and tracking attackers is an essential component of this broader security approach. It goes beyond short-term fixes and delves into the ongoing monitoring and analysis of attacker behavior and patterns. Collaboration and intelligence sharing within the cybersecurity community can enhance our defenses, making the ecosystem more resilient to future attacks.
If you need any of these packages, feel free to contact us directly at: [email protected].
Packages
The full list of packages can be found in the following link:
https://gist.github.com/masteryoda101/01eee19e50054733dcde5b7364949550
IOCs
Yehuda is a security researcher at Checkmarx and has a passion for making cyberspace a safer place to live and work. Prior to Checkmarx, he served as an information system security officer for the Lockheed Martin F-35 program, and assisted in developing the Cyber Defense strategy for Israel’s Air Force, the IAF. Yehuda currently holds numerous cyber certifications including CISSP and CCSP. During his free time he also employs his expertise to help people and non-profit organizations share their stories with the world through audio and visuals. Yehuda’s hobbies include creating music, producing films, traveling, and strategy board games.
Yehuda is a security researcher at Checkmarx and has a passion for making cyberspace a safer place to live and work. Prior to Checkmarx, he served as an information system security officer for the Lockheed Martin F-35 program, and assisted in developing the Cyber Defense strategy for Israel’s Air Force, the IAF. Yehuda currently holds numerous cyber certifications including CISSP and CCSP. During his free time he also employs his expertise to help people and non-profit organizations share their stories with the world through audio and visuals. Yehuda’s hobbies include creating music, producing films, traveling, and strategy board games.
By submitting my information to Checkmarx, I hereby consent to the terms and conditions found in the Checkmarx Privacy Policy and to
the
processing of my personal data as described therein. By clicking submit below, you consent to allow Checkmarx
to store and process the personal
information submitted above to provide you the content requested.