A new deceptive package hidden within the npm package registry has been uncovered deploying an open-source rootkit called r77, marking the first time a rogue package has delivered rootkit functionality.
The package in question is node-hide-console-windows, which mimics the legitimate npm package node-hide-console-window in what’s an instance of a typosquatting campaign. It was downloaded 704 times over the past two months before it was taken down.
ReversingLabs, which first detected the activity in August 2023, said the package “downloaded a Discord bot that facilitated the planting of an open-source rootkit, r77,” adding it “suggests that open-source projects may increasingly be seen as an avenue by which to distribute malware.”
The malicious code, per the software supply chain security firm, is contained within the package’s index.js file that, upon execution, fetches an executable that’s automatically run.
The executable in question is a C#-based open-source trojan known as DiscordRAT 2.0, which comes with features to remotely commandeer a victim host over Discord using over 40 commands that facilitate the collection of sensitive data, while disabling security software.
One among the instructions is “!rootkit,” which is used to launch the r77 rootkit on the compromised system. r77, actively maintained by bytecode77, is a “fileless ring 3 rootkit” that is designed to hide files and processes and which can be bundled with other software or launched directly.
This is far from the first time r77 has been put to use in malicious campaigns in the wild, what with threat actors utilizing it as part of attack chains distributing the SeroXen trojan as well as cryptocurrency miners.
What’s more, two different versions of node-hide-console-windows have been found to fetch an open-source information stealer dubbed Blank-Grabber alongside DiscordRAT 2.0, masquerading it as a “visual code update.”
A notable aspect of the campaign is that it’s entirely built atop the foundations of components that are freely and publicly available online, requiring little effort for threat actors to put it all together and opening the “supply chain attack door is now open to low-stakes actors.”
The research findings underscore the need for caution among developers when installing packages from open-source repositories. Earlier this week, Fortinet FortiGuard Labs identified nearly three dozen modules with variations in coding style and execution methods that came fitted with data harvesting features.
“The malicious actor or actors made an effort to make their packages appear trustworthy,” security researcher Lucija Valentić said.
“The actor or actors behind this campaign fashioned an npm page that closely resembled the page for the legitimate package that was being typo-squatted, and even created 10 versions of the malicious package to mirror the package they were mimicking.”