The tools of a major cybersecurity menace are now in the public domain. Olivia Brown, a researcher from Socket, recently found 11 malicious Go packages that are meant to deliver payloads through obscured remote procedures. Such malicious packages, applicable to both Windows and Linux systems, have created alarming concerns among the cybersecurity community. They’ve already racked up more than 1,110 downloads and are still available from the npm registry.
The shady packages utilize a perfectly disguised loader to download and execute further binaries. This creates an enormous opportunity for harm to unaware consumers. Ideally, the threat actor behind this operation hopes to make developers their lowest hanging fruit. They’ve embedded a one-of-a-kind phone number-based kill switch that could remotely erase systems. The protocol change has led to a flurry of interest from independent security professionals and organizations.
Discovery of Malicious Packages
In the course of her research, Olivia Brown stumbled upon an alarming trend. She discovered bad Go packages that are capable of downloading and executing payloads from remote servers. Behind the scenes, these packages obscure a tricky loader. This loader downloads second-stage binaries that gather information about the host and retrieve sensitive data stored in web browsers.
Kush Pandya, an independent security researcher, examined the facts more deeply. Based on their character, he figured that the packages were likely the work of an individual threat actor. His breakdown indicated a repurposing of command-and-control (C2) infrastructure and a homogenous code structure throughout the packages found. This is indicative of an intentional, highly coordinated effort to compromise systems.
Some of the packages used to execute this attack were named github.com/stripedconsu/linker, github.com/agitatedleopa/stm, and github.com/expertsandba/opt. Fortinet FortiGuard Labs were very much engaged in trying to identify these packages in open-source registries. That really pulled back the curtain on how pervasive the threat was.
Functionality of the Malicious Packages
The evil Go packages do more than download payloads. They can be used to collect huge swathes of data, proving their impressive smart capabilities. The second-stage binaries they provide can gather host data and retrieve sensitive data from web forms via browsers.
Even more concerning, two npm packages pretended to be WhatsApp socket libraries — naya-flore and nvlore-hsc. This tactic, which hides malware as legitimate software, is very dangerous. Legitimate developers could have found themselves installing these packages, which would result in malicious activity in otherwise legitimate projects.
Once in action, these packages conduct a preliminary look up against a database of known phone numbers. If the phone number is not found in the database, the package initiates a destructive command: it recursively deletes all files on the system using “rm -rf *”. This kill switch functionality is very concerning as it greatly increases the direct threat caused by these packages, showing an intent to disable systems.
Ongoing Risks and Recommendations
These packages have been publicly shamed for their maliciousness. Contrary to best practice, far too many of them are still publicly available on the npm registry. Such persistence constitutes grave and continuing dangers to developers and many organizations that use open-source software.
Security experts caution that developers should always be on guard when downloading packages from public repositories. One way or another, it is imperative that organizations introduce strict security procedures in order to keep a vigilant eye on their software supply chains. Additionally, frequent audits of installed packages should be standard operating procedure to catch reported threats that could wreak havoc before they wreak havoc.