Security researchers at Veracode, during their routine monitoring of the open-source world, stumbled upon two seemingly harmless software packages on the popular npm repository. However, when they looked inside, they weren’t greeted with code; instead, they faced a wall of Unicode characters, predominantly in Japanese Katakana and Hiragana.
“What started as an investigation into a fascinating Unicode obfuscation technique,” the Veracode team explained, “unraveled into one of the deepest and most complex attack chains we have seen”.
The attack’s starting point – a standard postinstall script – meant the trap was sprung the moment a developer innocently typed npm install.
Those strange Japanese characters were not random; they were the first of a dozen layers of deception. The attackers had used them as variable names in a script designed to build other, more functional bits of code from scratch. This first script’s only job was to create a second, slightly more conventional but still heavily hidden script, and then run it.
Just when Veracode had cracked this first puzzle from the npm attack, they found the next. The second script’s sole purpose was to run a short command that reached out to a remote server, firewall[.]tel, to download the next piece of the attack. The trail was getting warmer.
What came back from that server was yet another obfuscated script, this time using binary strings that had to be converted back into readable text. Once decoded, this revealed another script that used a different encoding technique, Base64.
This fourth script was a saboteur; it tried to tell the computer’s own security software, Windows Defender, to look the other way by adding its own files to an exclusion list. It then downloaded a batch file.
This batch file was a maze of confusion. It used hundreds of randomly named variables to hold tiny pieces of a larger puzzle. In a specific sequence, it pieced these fragments together to create its true payload: a .NET software library (a DLL) that was encrypted, compressed, and encoded to fly under the radar. This library was loaded directly into the computer’s memory, a trick to avoid leaving a trace on the hard drive.
But the rabbit hole went deeper still. Veracode found this DLL was not the final weapon; it was just another step in this amazingly complex npm attack. It was programmed to fetch what looked like a harmless PNG image from the internet. The image itself was just digital static, like an untuned TV screen. To the researchers, this screamed steganography—the art of hiding secrets in plain sight.
And they were right. The attackers had hidden their final payload within the very pixels of that image. The DLL extracted this hidden data and used it to build a second, final software library in the computer’s memory.
After peeling back twelve layers of incredible complexity, the attackers’ ultimate goal was finally revealed: a program called Pulsar, a Remote Administration Tool, or RAT. While Pulsar can be a legitimate tool, in this context it’s a malicious trojan, giving the attackers complete and total control over their victim’s machine.
Veracode says the malicious packages have since been reported to npm’s security team.
(Photo by Nick Fewings)
See also: Package lurking in npm for six years waits to destroy your work
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including Digital Transformation Week, IoT Tech Expo, Blockchain Expo, and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.
