Home / About / Threat Intelligence / More NPM libraries hijacked for credential theft

Overview

Following on from the ua-parser-js supply chain attack seen last month, 2 more npm libraries have been hijacked to distribute DanaBot malware.

The packages `coa` and `rc` both had malicious code added to their repositories which would install DanaBot malware. The scripts used commands only found on Microsoft Windows, meaning other operating systems would not be affected.

Impact

The malware installed could be used to steal passwords from web browsers, email accounts and other locations on the machine as well as record keystrokes and take screenshots.

Vulnerability Detection

Check for the existence of the malicious files compile.js, compile.bat, sdd.dll
Check network logs for connections to the malicious site pastorcryptograph[.]at

Affected Products

`coa` versions 2.0.3 , 2.0.4 , 2.1.1 , 2.1.3 , 3.1.3
`rc` versions 1.2.9 , 1.3.9 , 2.3.9

Containment, Mitigations & Remediations

Revert to safe versions (coa 2.0.2, rc 1.2.8).
Any computer found running the malicious code should be considered compromised and credentials rotated.

Multi Factor Authentication (MFA) is encouraged as a good mitigation against stolen credentials being abused.

Indicators of Compromise

pastorcryptograph[.]at
hxxps[://]pastorcryptograph[.]at/3/sdd[.]dll

f53ef1ed12f9ba49831ea33100083c9a92bc8adc6620f8a3b36a2d9ae2eb8591
26451f7f6fe297adf6738295b1dcc70f7678434ef21d8b6aad5ec00beb8a72cf

Threat Landscape

DanaBot was first reported by ProofPoint in 2018. It’s used to steal credentials which can then be sold to other threat actors or used for banking fraud.

Reported DanaBot activity has been low for the past year up until the ua-parser-js compromise last month.

Mitre Methodologies

T1195.001 – Compromise Software Dependencies and Development Tools
T1555 – Credentials from Password Stores

Further Information

Security Advisory 2021-062 – NPM Libraries Hijacked

Embedded malware in coa

Embedded malware in rc

coa 2.0.2 → 2.0.4

Analysis of the malware