A new rogue package hidden within the npm package registry has been exposed deploying an open-source rootkit named r77, marking the first time that a rogue package has provided rootkit functionality.
The package in question is node-hide-console-windows, which mimics the legitimate NPM package node-hide-console-windows in an example of a typosquatting campaign. It was downloaded 704 times in the last two months before it was removed.
ReversingLabs, which first detected the activity in August 2023, said the package “downloaded a Discord bot that facilitated the planting of an open-source rootkit, r77,” adding it “suggests that open-source projects may increasingly be seen as an avenue by which to distribute malware.”
According to the software supply chain security firm, the malicious code is contained in the package’s Index.js file which, upon execution, brings up an executable that runs automatically.
The executable in question is a C#-based open-source trojan known as DiscordRAT 2.0, which comes with features to remotely commandeer a victim host over Discord using over 40 commands that facilitate the collection of sensitive data, while disabling security software.
One of the directives is “!rootkit”, which is used to launch the r77 rootkit on compromised systems. r77, actively maintained by bytecode77, is a “fileless Ring 3 rootkit” designed to hide files and processes and which can be bundled with other software or launched directly.
This is not the first time that r77 has been put to use in malicious campaigns in the wild, with threat actors using it as part of a series of attacks that distribute the Seroxen Trojan as well to cryptocurrency miners.
Additionally, two different versions of node-hide-console-windows have been found to bring DiscordRAT 2.0 as well as an open-source information stealer called blank-grabber, which it describes as a “visual code update”.
A notable aspect of the campaign is that it’s entirely built atop the foundations of components that are freely and publicly available online, requiring little effort for threat actors to put it all together and opening the “supply chain attack door is now open to low-stakes actors.”
The research findings emphasize the need for caution among developers when installing packages from open-source repositories. Earlier this week, Fortinet FortiGuard Labs identified nearly three dozen modules varying in coding style and execution methods that were equipped with data harvesting features.
“The malicious actor or actors attempted to make their packages appear trustworthy,” said security researcher Lucija Valentić.
“The actor or actors behind this campaign fashioned an npm page that closely resembled the page for the legitimate package that was being typo-squatted, and even created 10 versions of the malicious package to mirror the package they were mimicking.”