News

Discord-Stealing Malware Invades npm Packages

  • Tara Seals--threatpost.com
  • published date: 2021-01-22 13:35:00 UTC

The CursedGrabber malware has infiltrated the open-source software code repository.

<div class="c-article__content js-reading-content"> <p>Three malicious software packages have been published to npm, a code repository for JavaScript developers to share and reuse code blocks. The packages represent a supply-chain threat given that they may be used as building blocks in various web applications; any applications corrupted by the code can steal tokens and other information from Discord users, researchers said.</p> <p>Discord is designed for creating communities on the web, called “servers,” either as standalone forums or as part of another website. Users communicate with voice calls, video calls, text messaging, media and files. Discord “bots” are central to its function; these are AIs that can be programmed to moderate discussion forums, welcome and guide new members, police rule-breakers and perform community outreach. They’re also used to add features to the server, such as music, games, polls, prizes and more.</p> <p>Discord tokens are used inside bot code to send commands back and forth to the Discord API, which in turn controls bot actions. If a Discord token is stolen, it would allow an attacker to hack the server.</p> <p><a href="https://threatpost.com/2020-reader-survey/161168/" target="_blank" rel="noopener noreferrer"><img loading="lazy" class="aligncenter wp-image-162449 size-full" src="https://media.threatpost.com/wp-content/uploads/sites/103/2020/12/18164737/Reader-Survey-Update.jpg" alt="2020 Reader Survey: Share Your Feedback to Help Us Improve" width="700" height="69"></a></p> <p>As of Friday, the packages (named an0n-chat-lib, discord-fix and sonatype, all published by “scp173-deleted”) were still available for download. They make use of brandjacking and typosquatting to lure developers into thinking they’re legitimate. There is also “clear evidence that the malware campaign was using a Discord bot to generate fake download counts for the packages to make them appear more popular to potential users,” according to researchers at Sonatype.</p> <p>The authors are the same operators behind the CursedGrabber Discord malware,  the researchers said, and the packages share DNA with that threat.</p> <p>The CursedGrabber Discord malware family, discovered in November, targets Windows hosts. It contains two .exe files which are invoked and executed via ‘postinstall’ scripts from the manifest file, ‘package.json’. One of the .exe files scans user profiles from multiple web browsers along with Discord leveldb files, steals Discord tokens, steals credit-card information, and sends user data via a webhook to the attacker. The second unpacks additional code with multiple capabilities, including privilege escalation, keylogging, taking screenshots, planting backdoors, accessing webcams and so on.</p> <p>In the case of the three npm packages, these “contain variations of Discord token-stealing code from the Discord malware discovered by Sonatype <a href="https://threatpost.com/rubygems-packages-bitcoin-stealing-malware/162360/" target="_blank" rel="noopener noreferrer">on numerous occasions</a>,” said Sonatype security researcher Ax Sharma, in a Friday <a href="https://blog.sonatype.com/cursedgrabber-strikes-again-sonatype-spots-new-malware-campaign-against-software-supply-chains?&amp;web_view=true" target="_blank" rel="noopener noreferrer">blog posting</a>.</p> <h2><strong>Open-Source Software Repository Malware</strong></h2> <p>Uploading malicious packages to code repositories is an increasingly common tactic used by malware operators. In December for instance, RubyGems, an open-source package repository and manager for the Ruby web programming language, <a href="https://threatpost.com/rubygems-packages-bitcoin-stealing-malware/162360/" target="_blank" rel="noopener noreferrer">had to take</a> two of its software packages offline after they were found to be laced with malware.</p> <p>The gems contained malware that ran itself persistently on infected Windows machines and replaced any Bitcoin or cryptocurrency wallet address it found on the user’s clipboard with the attacker’s. So, if a user of a corrupted web app built using the gems were to copy-paste a Bitcoin recipient wallet address somewhere on their system, the address would be replaced with that of the attacker.</p> <p>“We have repeatedly seen…open-source malware striking <a href="https://blog.sonatype.com/gitpaste-12" target="_blank" rel="noopener noreferrer" data-saferedirecturl="https://www.google.com/url?q=https://blog.sonatype.com/gitpaste-12&amp;source=gmail&amp;ust=1608320215947000&amp;usg=AFQjCNGcC8aX9fQIrQIB9xZgVXt4bj8IAQ">GitHub</a>, <a href="https://blog.sonatype.com/discord.dll-successor-to-npm-fallguys-" target="_blank" rel="noopener noreferrer" data-saferedirecturl="https://www.google.com/url?q=https://blog.sonatype.com/discord.dll-successor-to-npm-fallguys-&amp;source=gmail&amp;ust=1608320215947000&amp;usg=AFQjCNH6JhQ-5aZtXmeA_sDbSrvQsXSGmw">npm</a> and <a href="https://blog.sonatype.com/nexus-intelligence-insights-protect-your-bitcoins-from-700-malicious-rubygems-with-sonatype-2020-0196" target="_blank" rel="noopener noreferrer" data-saferedirecturl="https://www.google.com/url?q=https://blog.sonatype.com/nexus-intelligence-insights-protect-your-bitcoins-from-700-malicious-rubygems-with-sonatype-2020-0196&amp;source=gmail&amp;ust=1608320215947000&amp;usg=AFQjCNGcZHVjZ6IUQVkHI8s9BomAC3BMNQ">RubyGems</a>, attackers can exploit trust within the open-source community to deliver pretty much anything malicious, from sophisticated spying trojans like <a href="https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware" target="_blank" rel="noopener noreferrer" data-saferedirecturl="https://www.google.com/url?q=https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware&amp;source=gmail&amp;ust=1608320215947000&amp;usg=AFQjCNHrMSvXah8NBGvt4_QCSqRjMKN5CA">njRAT</a>, to…<a href="https://blog.sonatype.com/npm-malware-xpc.js" target="_blank" rel="noopener noreferrer">CursedGrabber</a>,” Sharma told Threatpost.</p> <p>The latest findings reiterate that software supply-chain attacks will only become more common and underscore how crucial it is for organizations that protect against such attacks and continuously improve their strategies against them, according to Sonatype.</p> <p><strong>Download our exclusive </strong><a href="https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=FEATURE&amp;utm_medium=FEATURE&amp;utm_campaign=Nov_eBook" target="_blank" rel="noopener noreferrer"><strong>FREE Threatpost Insider eBook</strong></a> <em><strong>Healthcare Security Woes Balloon in a Covid-Era World</strong></em><strong>, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and </strong><a href="https://threatpost.com/ebooks/healthcare-security-woes-balloon-in-a-covid-era-world/?utm_source=ART&amp;utm_medium=ART&amp;utm_campaign=Nov_eBook" target="_blank" rel="noopener noreferrer"><strong>DOWNLOAD the eBook now</strong></a><strong> – on us!</strong></p> <p> </p> <footer class="c-article__footer"> <div class="c-article__footer__container"> <div class="c-article__footer__col"> <a href="#discussion" class="c-button c-button--secondary">Write a comment</a> </div> <div class="c-article__footer__col"> <div class="c-article__sharing"> <p><strong>Share this article:</strong></p> <nav class="c-nav-sharing"> <div class="social-likes social-likes_notext" data-title="Discord-Stealing Malware Invades npm Packages" data-url="https://threatpost.com/discord-stealing-malware-npm-packages/163265/" data-counters="yes" data-zeroes="yes"><div class="facebook" title="Share via Facebook"></div> <div class="twitter" title="Share via Twitter"></div><div class="linkedin" title="Share via LinkedIn"></div> <div class="reddit" title="Share via Reddit"></div> <div class="flipboard" title="Share via Flipboard"></div> </div> </nav> </div> </div> </div> <div class="c-article__footer__container"> <div class="c-article__footer__col"></div> <div class="c-article__footer__col"> <ul class="c-list-categories"> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/malware-2/">Malware</a></li> <li><a class="c-label c-label--secondary-transparent" href="https://threatpost.com/category/web-security/">Web Security</a></li> </ul> </div> </div> </footer> </div>