Get in Touch
More NPM libraries hijacked for credential theft
Following on from the ua-parser-js supply chain attack seen last month, 2 more npm libraries have been hijacked to distribute DanaBot malware.
The packages `coa` and `rc` both had malicious code added to their repositories which would install DanaBot malware. The scripts used commands only found on Microsoft Windows, meaning other operating systems would not be affected.
The malware installed could be used to steal passwords from web browsers, email accounts and other locations on the machine as well as record keystrokes and take screenshots.
Check for the existence of the malicious files compile.js, compile.bat, sdd.dll
Check network logs for connections to the malicious site pastorcryptograph[.]at
`coa` versions 2.0.3 , 2.0.4 , 2.1.1 , 2.1.3 , 3.1.3
`rc` versions 1.2.9 , 1.3.9 , 2.3.9
Containment, Mitigations & Remediations
Revert to safe versions (coa 2.0.2, rc 1.2.8).
Any computer found running the malicious code should be considered compromised and credentials rotated.
Multi Factor Authentication (MFA) is encouraged as a good mitigation against stolen credentials being abused.
Indicators of Compromise
DanaBot was first reported by ProofPoint in 2018. It’s used to steal credentials which can then be sold to other threat actors or used for banking fraud.
Reported DanaBot activity has been low for the past year up until the ua-parser-js compromise last month.
T1195.001 – Compromise Software Dependencies and Development Tools
T1555 – Credentials from Password Stores
Security Advisory 2021-062 – NPM Libraries Hijacked