Get in Touch
More NPM libraries hijacked for credential theft
Overview
Following on from the ua-parser-js supply chain attack seen last month, 2 more npm libraries have been hijacked to distribute DanaBot malware.
The packages `coa` and `rc` both had malicious code added to their repositories which would install DanaBot malware. The scripts used commands only found on Microsoft Windows, meaning other operating systems would not be affected.
Impact
The malware installed could be used to steal passwords from web browsers, email accounts and other locations on the machine as well as record keystrokes and take screenshots.
Vulnerability Detection
Check for the existence of the malicious files compile.js, compile.bat, sdd.dll
Check network logs for connections to the malicious site pastorcryptograph[.]at
Affected Products
`coa` versions 2.0.3 , 2.0.4 , 2.1.1 , 2.1.3 , 3.1.3
`rc` versions 1.2.9 , 1.3.9 , 2.3.9
Containment, Mitigations & Remediations
Revert to safe versions (coa 2.0.2, rc 1.2.8).
Any computer found running the malicious code should be considered compromised and credentials rotated.
Multi Factor Authentication (MFA) is encouraged as a good mitigation against stolen credentials being abused.
Indicators of Compromise
pastorcryptograph[.]at
hxxps[://]pastorcryptograph[.]at/3/sdd[.]dll
f53ef1ed12f9ba49831ea33100083c9a92bc8adc6620f8a3b36a2d9ae2eb8591
26451f7f6fe297adf6738295b1dcc70f7678434ef21d8b6aad5ec00beb8a72cf
Threat Landscape
DanaBot was first reported by ProofPoint in 2018. It’s used to steal credentials which can then be sold to other threat actors or used for banking fraud.
Reported DanaBot activity has been low for the past year up until the ua-parser-js compromise last month.
Mitre Methodologies
T1195.001 – Compromise Software Dependencies and Development Tools
T1555 – Credentials from Password Stores