Kirk

@MalwareUtkonos @MalwareUtkonos this ones different - 3 stage JS stealer hxxp://213.218.160[.]189:8080

@MalwareUtkonos @izumiswap/sdk/v/3.0.3" target="_blank" rel="nofollow noopener">npmjs.com/package/@izumi… what even is this day

in my best dj khalid impression. *another one* NPM Malware > npmjs.com/package/api-rs… @MalwareUtkonos Related to this one > npmjs.com/~devcarron clob.js

I tried getting the sample from that website but got a Vidar stealer sample (again 🙄) instead - version 1.8, build id 078e27c16c8c3b5f44866860572ae5b8, c2 78[.]47[.]70[.]183 + telegram (g75rit) + steam (76561198698223785). But this Vidar sample is different from what I'm used to. It seems like the devs changed not just their versioning system. Two weeks ago, @KirkDerpca reported on a Vidar version 1.5 sample that was shipped within a Go packer. I compared the sample briefly to the 1.8 build (also packed in a Go executable) and found some upgrades: - Human readable obfuscated strings in the .rdata section - Debug logging, logs encrypted with AES-GCM (bcrypt.dll) using a hardcoded secret — but useful for reversing while still in plaintext😉 - Anti-debug via call to NtSetInformationThread with 0x11 = ThreadHideFromDebugger - Debug string "---- fakefunctions op!" along with an array of functions called in a pseudorandom order suggests possibly increased anti-analysis efforts - API hashing with extra steps — DLL or API names are first decrypted, then hashed, then the DLL or API is resolved by that hash 🤔 All in all, it looks like there's been a general overhaul of Vidar, and the development seems to be picking up quite fast. Stay tuned for a more in-depth analysis. SHA (bytearmor.exe): 583B091AA37A8F312161D2322D6E750D75CD8510AADC6B49425DBF058380B09E #vidar #vidarstealer #malware #cti

@MalwareUtkonos @MalwareUtkonos npmjs.com/~bcs-bank-comp… >> @databus-service-ui/scroll-up-content" target="_blank" rel="nofollow noopener">npmjs.com/package/@datab… @databus-service-ui/ui-event" target="_blank" rel="nofollow noopener">npmjs.com/package/@datab… _+ a bunch more - same dude as the stage 1 > 3

@MalwareUtkonos linux stage 3* > virustotal.com/gui/file/80b98… Either way.. some lowscoring payloads there

Hey @MalwareUtkonos check it out @loans/vehicles-api/v/9.9.10" target="_blank" rel="nofollow noopener">npmjs.com/package/@loans…

@CharlieEriksen @MalwareUtkonos @Walmart moar npmjs.com/package/verify…

@MalwareUtkonos @KirkDerpca @Walmart As I said, I would consider this to cross the line. But each program will allow different things. And it's not uncommon for hunters to be asked to perform post-exploitation to demonstrate impact and receive the full bounty. Either way, we flag it as malicious🤷

Our Malware publishing friend is back again @MalwareUtkonos, new account - still using the burpsuite c2 > npmjs.com/~lobo_hunt npmjs.com/package/claude…

It feels like security research is similar to journalism. Everyone racing for that breaking news. To the new followers: that’s not my goal. I’m curious and I work to be thorough. I care about delivery methods and creativity, not being first. This isn’t my day job, it’s for fun

[DSCI ALERT] [MALWARE] Evidence: - Lifecycle Exec package.json: Install-time lifecycle script: postinstall - Lifecycle AuthConfig package/clob.js: auth_token_config_support - Lifecycle Network package/clob.js: Outbound network references - Lifecycle Exec package/clob.js: install_time_user_daemon_autostart - Lifecycle Exec package/clob.js: install_time_binary_fetch_execute - Lifecycle Exec package/clob.js: silent_process_execution - Runtime Exec package/windows defender host.exe: bundled_windows_pe_executable - Runtime Exec : install_time_network_destination - Runtime Exec : install_time_persistence_macos_launchagent - Runtime Exec : install_time_native_rebuild Registry Link: npmjs.com/package/clobpr…

Newly Published NPM Malware: @devcarron/clob/v/2.73.0" target="_blank" rel="nofollow noopener">npmjs.com/package/@devca… npmjs.com/package/clob.a… npmjs.com/package/clobpr… 45.8.22[.]112 and violet-tricky-quelea-562.mypinata[.]cloud

@MalwareUtkonos I havent checked history but i did note it was older - loans[.]io its intended use is not up anymore and docs links are dead - looks like a supply chain takeover of a failed project

@KirkDerpca This package has been out there since early May.

@MalwareUtkonos Ty - has payloads for Win, Linux & Mac, and a third stage for atleast linux - just owrking through it now - bad news bears tho for sure

@KirkDerpca Here is the graph of that user's packages. Email address on protonmail.

@CharlieEriksen @MalwareUtkonos @Walmart You might be also missing a touch of context, in this post is a small list, there's been alot more malicious packages with "research" in various names throughout "NASA", "google", "vercel", and others, with packages of similar markers over the past few days.

@MalwareUtkonos @KirkDerpca @Walmart It literally says it's research for the Walmart program.

@MalwareUtkonos Thats what I saw - odd indeed. What a way to maybe bypass prying eyes tho 'oh don't mind me were the good guys'

@KirkDerpca Is this really security research? It looks like it just exfiltrates all the same data from the victim that a malicious npm package would. It just exfiltrates to public interactsh servers. This seems like indiscriminate malicious code. github.com/projectdiscove…

@MalwareUtkonos new batch, readme again says security research - several packages > npmjs.com/~fais071

@MalwareUtkonos npmjs.com/package/itc-ac… ^ Malware... readme states > SECURITY RESEARCH — DO NOT USE IN PRODUCTION 🤷‍♂️