A recent analysis by Phylum has uncovered a series of malicious packages, pointing to an IP address affiliated with a notable threat actor: hxxp://193.233.201[.]21:3001. This investigation reveals that, while the attackers aimed to obscure their infrastructure for second-stage infections, their strategy inadvertently left a digital breadcrumb trail of previously utilized addresses.
The research underscores a compelling aspect of the Ethereum blockchain, where all transactions are recorded in an immutable format. This characteristic allowed Phylum researchers to trace back every IP address that has been linked to this particular threat actor. Throughout their analysis, they identified multiple addresses spanning various dates: beginning with hxxp://localhost:3001 on September 23, 2024, followed by hxxp://45.125.67[.]172:1228 on September 24, then another iteration at hxxp://45.125.67[.]172:1337 on October 21. The compromise continued with the initial address identified in the current analysis on October 22, leading to a final address listed as hxxp://194.53.54[.]188:3001 on October 26.
Once implanted, the malicious software appears in the form of a packed Vercel package. It operates by executing in memory, ensuring it launches with each system reboot, while establishing a connection to the identified IP address from the Ethereum contract. This operation allows it to conduct a series of requests to retrieve additional JavaScript files, subsequently relaying system information back to the malicious server. The transmitted data encompasses critical system variables, including GPU and CPU specifications, total memory available, as well as the operating system version and username.
The technique employed in this attack illustrates a rise in typosquatting—a deceptive practice that involves using names that closely resemble reputable packages with slight differences, often due to inadvertent typographical errors. Typosquatting has long been a method to mislead users into visiting harmful sites and has evolved in recent years to target developers by luring them into downloading malicious code libraries.
To mitigate such risks, developers are strongly encouraged to rigorously verify package names before executing any downloaded files. The Phylum report further provides detailed information, including package names, associated IP addresses, and cryptographic hashes pertinent to these malicious elements.
Given the nature of this attack, several tactics outlined in the MITRE ATT&CK framework can be inferred. Initially, adversaries may have leveraged techniques aligned with gaining initial access through typosquatting. Beyond that, the persistence of the malware can be attributed to its design to initiate with system starts. Techniques to exploit privileges may also have been utilized, enabling the attackers to access sensitive system data.
As the cybersecurity landscape continues to evolve, attacks like these highlight the need for vigilant practices among developers and organizations alike. Consistently scrutinizing the sources of software packages is crucial in defending against the growing sophistication of cyber threats.
