A new form of cyberattack has come to light, leveraging common images to conceal a harmful virus. Experts from Veracode Threat Research uncovered a malicious package on NPM, a widely-used platform where millions of developers share tools and software. This package was crafted to mimic a legitimate software application, masking its actual intent to compromise users’ computers.
The package, identified as buildrunner-dev, employs a technique known as typosquatting. By choosing a name nearly identical to that of a reputable tool, buildrunner, the attackers aim to exploit potential spelling errors during downloads. This deception underscores that the attack vector is initiated the moment the software is installed on a user’s system.
A Complex Distraction
Upon installation, the malicious package executes a script that retrieves a file named packageloader.bat. This file is notably large and convoluted, comprising more than 1,600 lines of text filled with what researchers have described as “noise” designed to obscure the malware from security scanning tools. According to Veracode’s findings shared publicly, the majority of the text consists of random words like “raven,” “glacier,” and “monsoon,” with only about 21 lines comprising actual executable commands.
The malware also demonstrates sophistication by checking for antivirus solutions such as ESET, Malwarebytes, or F-Secure. If it detects these programs, it employs various evasion tactics to bypass their detection, beginning by copying itself to a concealed folder as protect.bat. It subsequently verifies whether it has elevated “Admin” rights, leveraging a native Windows tool called fodhelper.exe to sidestep security prompts, ensuring that no user notifications appear.
Concealed in an Image
The most compelling aspect of this attack lies in the method of hiding the actual virus within an image file utilizing a technique known as steganography. The malware illicitly downloads a PNG image from a free hosting site, appearing to the average individual as innocuous pixelated “noise.” However, the malware is programmed to interpret minuscule RGB pixel values to uncover concealed malicious code.
Furthermore, researchers have identified the use of a tactic called process hollowing, where the malware infiltrates benign programs, substituting their internal operations with harmful code to masquerade as legitimate processes. Ultimately, this leads to the installation of additional malware known as Pulsar RAT, a Remote Access Trojan granting hackers unrestricted control over the infected system. The attackers adopted obscure file names like CheaperMyanmarCaribbean.exe to maintain a discreet presence within the computer’s memory.
This incident, although originating from a tool intended for technical users on NPM, illustrates a significant threat: even seemingly benign image files can harbor substantial malware risks. Organizations must assess their cybersecurity protocols to guard against such sophisticated threats, which exploit the intersection of software development and digital misdirection.