CarderPlanet
Professional
- Messages
- 2,552
- Reaction score
- 684
- Points
- 83
NPM found an interesting package that hides an open source rootkit-r77. Interestingly, this is the first such object in the repository that delivers a rootkit.
The malicious package passes under the name node-hide-console-windows and disguises itself as a legitimate node — hide-console-window. In essence, this is a classic typesquatting game.
According to statistics, the rootkit package was downloaded 704 times in the last two months. After that, it was removed from the repository.
ReversingLabs specialists were the first to notice suspicious activity back in August. According to them, the package was " downloaded by Discord, a bot that helps install the r77 rootkit on the victim's system."
The malicious code itself was hidden in the index file.js, which set the executable file to run automatically at startup. The latter was a DiscordRAT 2.0 C#Trojan that allows you to manage an infected host via Discord.
In total, the Trojan supported 40 commands, including disabling security software and collecting confidential data.
One of the commands -"! rootkit" - is used to launch the r77 rootkit. The malware works at the level of the third ring, does not have a body as such, and is designed to hide files and processes.
By the way, two different versions of the node-hide-console-windows package are also trying to install a program for stealing information — Blank-Grabber. Moreover, all components used by cybercriminals are publicly available and free of charge.
The malicious package passes under the name node-hide-console-windows and disguises itself as a legitimate node — hide-console-window. In essence, this is a classic typesquatting game.
According to statistics, the rootkit package was downloaded 704 times in the last two months. After that, it was removed from the repository.
ReversingLabs specialists were the first to notice suspicious activity back in August. According to them, the package was " downloaded by Discord, a bot that helps install the r77 rootkit on the victim's system."
The malicious code itself was hidden in the index file.js, which set the executable file to run automatically at startup. The latter was a DiscordRAT 2.0 C#Trojan that allows you to manage an infected host via Discord.
In total, the Trojan supported 40 commands, including disabling security software and collecting confidential data.
One of the commands -"! rootkit" - is used to launch the r77 rootkit. The malware works at the level of the third ring, does not have a body as such, and is designed to hide files and processes.
By the way, two different versions of the node-hide-console-windows package are also trying to install a program for stealing information — Blank-Grabber. Moreover, all components used by cybercriminals are publicly available and free of charge.
