Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,176
- Points
- 113
Mysterious malicious packages disappeared as suddenly as they appeared...
On July 7 of this year, a user of the npm developer repository named "nagasiren978" published two malicious packages: "harthat-hash" and "harthat-api", which contain code that installs additional malware from the attackers C2 server. The main targets of these attacks were Windows-based systems.
The methods and infrastructure used in the malicious packages match the tactics of a North Korean-linked hacker group that Microsoft tracks under the name MOONSTONE SLEET. Internally, Datadog, which was the first company to detect malicious packages, refers to this threat cluster as "Stressed Pungsan". This name is associated with a breed of dog that is bred in North Korea.
The hackers goal was to infiltrate software supply chains and developer environments. After obtaining the necessary access, attackers steal personal information, APIs, and access keys to cloud services, as well as move to other victim systems.
As part of the fight against such threats, the Datadog security team developed an infrastructure for scanning packages on PyPI and npm using GuardDog software. During the scan on July 7, specialists found two packages with suspicious behavior.
The packages "harthat-hash" version 1.3.3 and "harthat-api" version 1.3.1 used pre-installed scripts to execute and then delete files in the ".js " format. They contained links to suspicious domains and loaded malicious DLL files that were run using "rundll32.exe".
Both packages turned out to be almost identical in content, differing only in the value of the id parameter in links to the C2 server. The malicious code downloaded the "Temp.b" file, renamed it to "package. db", and ran it via "rundll32.exe". After execution, the script was deleted, and the "package.json" file was replaced with "pk.json", which made it more difficult to detect malicious activity.
The DLL file loaded with malicious packages contained suspicious Windows API calls, such as "IsDebuggerPresent" and "GetTickCount", used for anti-debugging and anti-reverse analysis. However, static analysis did not reveal any obvious malicious logic, which suggested that the DLL file might not be fully ready for use or was used for testing the C2 infrastructure.
The attackers used code from the popular "node-config" repository, adding some malicious modifications. It is worth noting that the packages were removed from npm very quickly, and not by moderators, but by the author himself.
Software developers are advised to check whether the "harthat-api" or "harthat-hash" packages are installed in their infrastructure. If detected, you must immediately take steps to rotate your credentials, isolate the application, and investigate the possible spread of the threat.
The threat from malicious npm packages is becoming more urgent every day. Attackers disguise themselves as legitimate packages to inject malicious code. A quick response to such incidents can help prevent serious consequences for data security and infrastructure.
Source
On July 7 of this year, a user of the npm developer repository named "nagasiren978" published two malicious packages: "harthat-hash" and "harthat-api", which contain code that installs additional malware from the attackers C2 server. The main targets of these attacks were Windows-based systems.
The methods and infrastructure used in the malicious packages match the tactics of a North Korean-linked hacker group that Microsoft tracks under the name MOONSTONE SLEET. Internally, Datadog, which was the first company to detect malicious packages, refers to this threat cluster as "Stressed Pungsan". This name is associated with a breed of dog that is bred in North Korea.
The hackers goal was to infiltrate software supply chains and developer environments. After obtaining the necessary access, attackers steal personal information, APIs, and access keys to cloud services, as well as move to other victim systems.
As part of the fight against such threats, the Datadog security team developed an infrastructure for scanning packages on PyPI and npm using GuardDog software. During the scan on July 7, specialists found two packages with suspicious behavior.
The packages "harthat-hash" version 1.3.3 and "harthat-api" version 1.3.1 used pre-installed scripts to execute and then delete files in the ".js " format. They contained links to suspicious domains and loaded malicious DLL files that were run using "rundll32.exe".
Both packages turned out to be almost identical in content, differing only in the value of the id parameter in links to the C2 server. The malicious code downloaded the "Temp.b" file, renamed it to "package. db", and ran it via "rundll32.exe". After execution, the script was deleted, and the "package.json" file was replaced with "pk.json", which made it more difficult to detect malicious activity.
The DLL file loaded with malicious packages contained suspicious Windows API calls, such as "IsDebuggerPresent" and "GetTickCount", used for anti-debugging and anti-reverse analysis. However, static analysis did not reveal any obvious malicious logic, which suggested that the DLL file might not be fully ready for use or was used for testing the C2 infrastructure.
The attackers used code from the popular "node-config" repository, adding some malicious modifications. It is worth noting that the packages were removed from npm very quickly, and not by moderators, but by the author himself.
Software developers are advised to check whether the "harthat-api" or "harthat-hash" packages are installed in their infrastructure. If detected, you must immediately take steps to rotate your credentials, isolate the application, and investigate the possible spread of the threat.
The threat from malicious npm packages is becoming more urgent every day. Attackers disguise themselves as legitimate packages to inject malicious code. A quick response to such incidents can help prevent serious consequences for data security and infrastructure.
Source
