Open Source Information Theft RAT Covered By Negative NPM Packages


TurkoRat Has Features Like Wallet Grabber and Can Harvest Credentials.

Researchers have discovered two malicious npm packages that appeared to be legal and concealed an open-source infostealer for two months before being found and eliminated.
Researchers from ReversingLabs discovered two packages called nodejs-encrypt-agent and nodejs-cookie-proxy-agent that had been downloaded over 1,200 times combined during the previous two months to contain the open-source infostealer TurkoRat.

A database of JavaScript packages, which include software and information and are used by open-source developers to promote JavaScript code sharing, is known as a npm registry. TurkoRat has capabilities including a wallet grabber used for stealing cryptocurrencies and associated data as well as the ability to harvest credentials and page cookies.

Researchers from ReversingLabs discovered a variety of hazardous behaviour combinations when examining packages that were readily available on public repositories. Open-source software was found to execute commands, write data to files, and contain hard-coded IP addresses in its code, according to researchers. Typically, this behaviour is malevolent, they said.

“It is accurate to say that none of those capabilities are malevolent on their own. However, when they are combined, they frequently offer dangerous functionality. The npm package nodejs-encrypt-agent originally came to our attention because of the existence of such suspicious traits and behaviours, according to researchers. Nodejs-encrypt-agent, a malicious package, was discovered posing as agent-base, a popular npm module with over 30 million installs. To make it appear more genuine, threat actors inserted a link to the agent-base’s GitHub website.

Threat actors were discovered imitating an earlier version of the agent-base that had been released two months before the malicious package was detected. The malicious actors were imitating an older version of the agent-base model, 6.0.2, which had been downloaded over 20 million times. Researchers discovered after examining the nodejs-encrypt-agent that the functionality and code were identical to those of the agent-base package.

When the package is run, this PE file is used, which executes malicious commands buried in the first few lines of the index.js file. The capacity to write to and delete from Windows system directories, execute instructions, and modify DNS settings are just a few of the major harmful behaviours that have been discovered.

Researchers discovered TurkoRat after extracting all the javascript files and checking out earlier iterations of the nodejs-encrypt-agent package. By comparing the javascript files that were recovered from the PE to those that were located in the TurkoRat GitHub repository, researchers were able to corroborate their findings.

The configuration and capabilities of the completed PE can be changed by modifying TurkoRat during the build process. It can be disseminated in a number of ways, such as by concealing it within a genuine piece of software, as it was done with the nodejs-encrypt-agent. The code was discovered by researchers in the nodejs-encrypt-agent and the nodejs-cookie-proxy-agent, which mimics a widely used, trustworthy package called node-cookie-proxy-agent but is less well-known than agent-base.


Please enter your comment!
Please enter your name here