News and Notes from the Makers of Nexus | Sonatype Blog

Damaging Linux and Mac malware bundled within Browserify npm brandjack attempt

Written by Ax Sharma | April 13, 2021

Over the weekend, Sonatype spotted a rather unique malware sample published to the npm registry, within a day of its release on npm.

The malware exists in the brandjacking npm package called "web-browserify," and imitates the legitimate "browserify" component.

Trusted by hundreds of thousands of NodeJS developers, Browserify receives over 1.3 million weekly downloads on npm alone.

Browserify's popularity stems from it being an open source JavaScript tool that lets developers write cross-platform, NodeJS-style modules that compile for use in the browser.

But, the malicious package, "web-browserify," on the other hand abuses legitimate npm components to bundle within itself a malicious, hard-to-detect Linux and Mac executable.

Of note is that the package seems to be specifically designed to target individual NodeJS developers judging from the way it acts once downloaded, and the choice of operating systems it targets.

Malware runs as soon as web-browserify is installed by the developer

Sonatype's automated malware detection system, Release Integrity, part of our next-gen Sonatype Intelligence, flagged the "web-browserify" npm component for being suspicious over the weekend.

On a closer look, the Sonatype Security Research team confirmed the package as malicious and immediately added it to our data.



The "web-browserify" npm component, now taken down, existed on npm as a
.TGZ archive (typical of npm components) with just one version (1.0.0), which is about 27 MB in size.

The "postinstall.js" file simply extracts a mysterious "run.tar.xz" archive (shown above) nested within the "web-browserify" component's TGZ archive.

The "run.tar.xz" further contains a 64-bit ELF executable called "run," which is capable of running on both Linux and Mac operating systems.

Executable and Linkable Format (ELF) is a common format for Unix-based executable binaries and libraries.

As evident from line 6 of "package.json" above, the postinstall script launches this "run" binary, and clears the (temporary) extracted directory with "run" contained within it.

But, this does not stop the malware, and this is where the fun begins.

The extracted "run" binary is gigantic, about 120 MB in size and bundles within itself hundreds of legitimate npm components.

In fact, the piece of malware is crafted almost entirely from open source components, and exploits these legitimate npm components to conduct its extensive reconnaissance activities.

Of note is that the "run" binary conducts its nefarious activities in a way that would seem perfectly acceptable to antivirus products. As such, at the time of writing, it has a perfect-zero VirusTotal detection score.

As soon as the malware runs, it issues multiple "systemctl" commands to stop critical system services, and further deletes the /etc/systemd/system/ directory, which contains symbolic links to daemons and system services, including antivirus.

The malware further attempts to wipe clean the /etc/ directory itself, which contains the most extensive set of critical system configuration files, password hashes, DNS rules, and so on, and has been called the "nerve center of your system."

The malware then copies itself to /etc/rot1, where it gains persistence and subsequently runs on every boot.

To facilitate the aforementioned actions, however, "run" would need elevated (root) privileges, which it requests from the user as soon as it runs.

To the user (likely, a developer), it would appear as if it was the "web-browserify" npm component that was requesting these permissions as the postinstall sequence launching "run" triggers right after the component is installed.

We observed that the ELF executable contained base64-encoded code, which we traced back to yet another npm component "sudo-prompt."

sudo-prompt is an npm module that can be included in NodeJS applications by developers to request administrative permissions from the user.


Image:
An example prompt on MacOS generated via "sudo-prompt"

The fact that "sudo-prompt" is cross-platform is no coincidence, either.

The choice of "sudo-prompt" seems intentional for an author designing malware targeting Mac, Linux, and other Unix-based distributions, which are most frequently used by NodeJS developers.

Extensive fingerprinting, reconnaissance, and data exfiltration

As stated before, the multi-megabyte "run" executable bundles within itself hundreds of legitimate npm components to carry out its activities.

One such component is "systeminformation," returning extensive information about a machine, from the mere operating system name, username, and CPU/GPU-related information, to more extensive details on any dockerImages running on the system or connected Bluetooth devices.

We observed the "run" binary making HTTP connections every few seconds to the me.ejemplo[.]me domain, which is using a known cloud hosting provider, to exfiltrate some of this information.

Again, the choice of the domain itself is clever as ejemplo is Spanish for "example." This could give off the impression ejemplo[.]me is a mere test domain, much like example.com.

The "run" binary is vast in nature, containing code borrowed from hundreds of components providing capabilities such as fingerprinting and reconnaissance to virtualization detection, i.e. if "run" is being launched within a virtual machine (VM).

The evasive tactics deployed by the malware made it specially challenging to analyze, which is why a combination of static and dynamic analysis techniques were used to ascertain the behavior of this binary.

At the very least, we can confirm the malware attempts to damage mission-critical system files, perform extensive reconnaissance and fingerprinting, and perform data exfiltration, but the expansive nature of the code bundled within the malware indicates there remains yet more to be discovered in the days ahead.

Evolving open source software supply chain attacks warrant advanced protection

Once again, this particular package is an indication that developers have become the new target for adversaries over the software they write.

web-browserify aims to take over a developer's system and does so with a happy sudo prompt designed with the exact same tools that legitimate packages use to fly under an unwitting developer's radar.

Time and time again, Sonatype has been tracing not only critical vulnerabilities and next-gen supply-chain attacks, but novel brandjacking, cryptomining, and typosquatting malware lurking in software repositories.

Moreover, we have also identified dependency confusion copycat packages that were actually malicious and targeted applications related to known tech companies.

All of this takes more than just due diligence and luck - it takes the expertise of experienced security professionals and hundreds of terabytes of data. In order to keep up with the pace of malware mutations, Sonatype analyses every newly released npm package to keep developers safe.

Our AI/ML-powered automated malware detection system, Release Integrity, and world class security research team help you remain proactive and safeguard your software supply chains against up and coming attacks. Release Integrity predicts a likely malicious component based on analysis performed on historical supply chain attacks, and over five-dozen "signals," which is how it is able to flag new potential attacks before security researchers discover them.

Above all, the latest Sonatype Repository Firewall helps you remain protected from dependency/namespace confusion attacks by blocking both suspicious components and dependencies with conflicting names before they reach your development builds. As we discover new kinds of attacks and security issues, Sonatype continues to provide protection to our customers.

Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.